EP1126356B1 - Tamper resistant microprocessor - Google Patents
Tamper resistant microprocessor Download PDFInfo
- Publication number
- EP1126356B1 EP1126356B1 EP01301241A EP01301241A EP1126356B1 EP 1126356 B1 EP1126356 B1 EP 1126356B1 EP 01301241 A EP01301241 A EP 01301241A EP 01301241 A EP01301241 A EP 01301241A EP 1126356 B1 EP1126356 B1 EP 1126356B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- program
- execution
- key
- data
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 230000015654 memory Effects 0.000 claims description 161
- 230000006870 function Effects 0.000 claims description 67
- 239000000470 constituent Substances 0.000 claims 1
- 238000012545 processing Methods 0.000 description 66
- 238000000034 method Methods 0.000 description 62
- 239000000872 buffer Substances 0.000 description 44
- 238000012795 verification Methods 0.000 description 29
- 230000007246 mechanism Effects 0.000 description 28
- 238000011084 recovery Methods 0.000 description 23
- 230000008569 process Effects 0.000 description 20
- 230000004075 alteration Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 13
- 230000008859 change Effects 0.000 description 8
- 238000007796 conventional method Methods 0.000 description 8
- 230000006872 improvement Effects 0.000 description 8
- 230000000694 effects Effects 0.000 description 6
- 238000011068 loading method Methods 0.000 description 6
- 238000006243 chemical reaction Methods 0.000 description 5
- 230000001343 mnemonic effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000007704 transition Effects 0.000 description 3
- 238000013478 data encryption standard Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 150000003839 salts Chemical class 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 208000008918 voyeurism Diseases 0.000 description 2
- 230000003936 working memory Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000002401 inhibitory effect Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001629 suppression Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/109—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
Definitions
- the present invention relates to a microprocessor that can prevent illegal alternation of execution codes and processing target data under a multi-task program execution environment.
- Such a microprocessor is not designed for any specific hardware and can be implemented in a variety of hardwares so that there is an advantage that the users who already possess PCs can enjoy reproduction and editing of video images and audio sounds inexpensively by simply changing a microprocessor for executing programs.
- the tamper resistant software technique is also effective in preventing illegal copying of valuable information including not only video and audio data but also text and know-how that is to be provided to a user through the PC, and protecting know-how contained in the PC software itself from analysis.
- the tamper resistant software technique is a technique which makes analysis using tools such as de-assembler or debugger difficult by encrypting a portion of the program that requires protection before the execution of the program starts, decrypting that portion immediately before executing that portion and encrypting that portion again immediately after the execution of that portion is completed. Consequently, as along as the program is executable by a processor, it is always possible to analyze the program by carrying out the analysis step by step starting from the start of the program.
- the current OS realizes the management of resources under the control of the computer and the arbitration of their uses by utilizing a privileged operation function with respect to a memory and an execution control function provided in CPU.
- Targets of the management include the conventional targets such as devices, CPU and memory resources, as well as QoS (Quality of Service) at network or application level.
- QoS Quality of Service
- the basics of the resource management are still allocations of resources necessary for the execution of a program. Namely, an allocation of a CPU time to the execution of that program and an allocation of a memory space necessary for the execution are the besics of the resource management.
- the control of the other devices, network and application QoS is realized by controlling the execution of a program that makes accesses to these resources (by allocating a CPU time and a memory space).
- the OS has privileges for carrying out the CPU time allocation and the memory space allocation. Namely, the OS has a privilege for interrupting and restarting an application program at arbitrary timing and a privilege to move a content of a memory space allocated to an application program to a memory of a different hierarchical level at arbitrary timing, in order to carry out the CPU time allocation.
- the latter privilege is also used for the purpose of providing a flat memory space to the application by concealing (normally) hierarchical memory systems with different access speeds and capacities from the application.
- the OS can interrupt an execution state of the application and take a snap shot of it at arbitrary timing, and restart it after making a copy of it or rewriting it.
- This function can also be used as a tool for analyzing secrets hidden in the application.
- the conventional technique based on the x86 architecture of Intel Corporation is a technique for storing the execution codes and data by encrypting them by using a prescribed encryption key Kx.
- the encryption key Kx is given in a form of E Kr [Kx] which is encrypted by using a public key Kp corresponding to a secret key Ks embedded in a processor. Consequently, only the processor that knows Ks can decrypt the encrypted execution codes on a memory.
- the encryption key Kx is stored in a register inside the processor called a segment register.
- the system employing this technique has a drawback in that the analysis of the program becomes possible by utilizing a privilege of the OS called a context switching, without decrypting the encrypted execution codes.
- the context switching is an operation to store an execution state (which will be referred to as a context information hereafter) of the program indicating a set of register values at that point into a memory, and restoring the context information of another program stored in the memory in advance into the registers.
- Fig. 15 shows the conventional context storing format used in the x86 processor. All the contents of the registers used by the application are contained here. The context information of the interrupted program is restored into the registers when the program is restarted.
- the context switching is an indispensable function in order to operate a plurality of programs in parallel.
- the OS can read the register values at a time of the context switching, so that it is possible to guess most of the operations made by the programs if not all, according to how the execution state of that program has changed.
- the processor has a debugging support function such as a stepwise execution, and there has been a problem that the OS can analyze the application by utilizing all these functions.
- U.S. Patent No. 5,224,166 asserts that the program can access the encrypted data only by the program execution using the encrypted code segment.
- the encrypted data can be freely read by the encrypted program by using arbitrary key, regardless of the encryption key by which the program is encrypted, even when there are programs encrypted by using mutually different encryption keys.
- This conventional technique does not account for the case where the OS and the application have their own secrets independently and the secret of the application is to be protected from the OS or a plurality of program providers have their own secrets separately.
- Japanese Patent Application Laid Open No. 11-282667 (1999 ) discloses a technique of a secret memory provided inside the CPU in order to store the secret information of the application.
- a prescribed reference value is required in order to access data in the secret memory.
- this reference fails to disclose how to protect the reference value for obtaining the access right with respect to the secret data from a plurality of programs operating in the same CPU, especially the OS.
- this technique requires different sub-processors for different applications so that it requires a high cost, and the implementation and fast realization of the compiler and processor hardware for processing such instruction system are expected to be very difficult as they are quite different from those of the currently used processors.
- this type of processor it becomes difficult to comprehend correspondences among the data contents and the operations even when the data and the operations of the actually operated codes are observed and traced so that the debugging of the program becomes very difficult, and therefore this technique has many practical problems, compared with the other conventional techniques described above in which the program codes and the data are simply encrypted, such as those of U.S. Patent No. 5,224,166 and Japanese Patent Application Laid Open No. 11-282667 .
- US Patent 4558176 discloses a computer system for inhibiting unauthorized copying and usage, and automated cracking of protected software, comprising a context information saving unit and a restart unit; the state of a CPU can be saved in the external memory.
- a microprocessor halving a unique secret key and a unique public key corresponding to the unique secret key that cannot be read out to external, comprising: a reading unit configured to read out a plurality of programs encrypted by using different execution code encryption keys from an external memory; a decryption unit configured to decrypt the plurality of programs read out by the reading unit by using respective decryption keys; an execution unit configured to execute the plurality of programs decrypted by the decryption unit, a context information saving unit configured to save a context information for one program whose execution is to be interrupted, into a context information memory provided inside the microprocessor, or encrypt the context information and save the encrypted context into the external memory, the context information containing information indicating an execution state of the one program; and a restart unit configured to restart an execution of the one program by reading out the context information from the context information memory, and recovering the execution state of the one program from the context information, or reading the encrypted context information from external
- the present invention provides a microprocessor as defined in Claim 1.
- the present invention can provide a microprocessor capable of surely protecting both the internally executed algorithm and the data state inside a memory region from illegal analysis in the multi-task environment even when the execution is stopped by the interruption.
- the microprocessor is preferably capable of surely protecting the codes even at a time of the program execution interruption, in which this protection is compatible with both the execution control function and the memory management function required by the current OS.
- the invention can also provide a microprocessor in which each program can secure a correctly readable/writable data region independently even when a plurality of programs encrypted by using different encryption keys are to be executed.
- the microprocessor preferably has a data region for protecting the secret of each application from the OS when a plurality of applications have their respective (encrypted) secrets.
- the invention can also provide a microprocessor capable of protecting the protected attributes (i.e., encrypted attributed) of the above-described data region from illegal rewriting by the OS.
- the invention can also provide a microprocessor capable of protecting the encrypted attributes from the so-called chosen plain text attack of the cryptoanalysis theory, in which the program can use arbitrary value as the data encryption key.
- the invention can also provide a microprocessor provided with a mechanism for the program debugging and feedback.
- the debugging of the program is preferably carried out in plain text and the feedback of information on defects is preferably provided to a program code provider (program vendor) in the case of the execution failure.
- the microprocessor is preferably capable of achieving these improvements in a form that realizes both a low cost and a high performance.
- the microprocessor which is formed as a single chip or a single package reads a plurality of programs encrypted by using code encryption keys that are different for different programs, from a memory (a main memory, for example) external of the microprocessor through a bus interface unit that provides a reading function.
- a decryption unit decrypts these plurality of read out programs by using respectively corresponding decryption keys, and an instruction execution unit executes these plurality of decrypted programs.
- a context information encryption/decryption unit that provides an execution state writing function encrypts information indicating a state of execution up to an interrupted point of the program to be interrupted and the code encryption key of this program, by using an encryption key unique to the microprocessor, and writes the encrypted information as a context information into a memory external of the microprocessor.
- a verification unit that provides a restarting function decrypts the encrypted context information by using a unique decryption key corresponding to the unique encryption key of the microprocessor, and restarts the execution of the program only when the code encryption key contained in the decrypted context information (that is the code encryption key of the program scheduled to be restarted) coincides with the original code encryption key of the interrupted program.
- the microprocessor also has a memory region (a register, for example) inside the processor that cannot be read out to the external, and an encrypted attribute writing unit (an instruction TLB, for example) for writing encrypted attributes for the processing target data of the program into the internal memory.
- the encrypted attributes include the code encryption key of the program and an encryption target address range, for example). At least a part of these encrypted attributes is contained in the context information.
- the context information encryption/decryption unit also attaches a signature based on a secret information unique to the microprocessor to the context information.
- the verification unit judges whether the signature contained in the decrypted context information coincides with the original signature based on the secret information unique to the microprocessor or not, and restarts the interrupted program only when they coincide.
- the state of execution up to an interrupted point of the encrypted program is stored in the external memory as the context information, while the protected attributes of the execution processing target data are stored in the register inside the processor, so that the illegal alteration of the data can be prevented.
- the microprocessor that is formed as a single chip or a single package maintains a unique secret key therein that cannot be read out to the external.
- the bus interface unit that provides a reading function reads the code encryption key that is encrypted by using a unique public key of the microprocessor corresponding to the secret key in advance from a memory external of the microprocessor.
- a key decryption unit that provides a first decryption function decrypts the read out code encryption key by using the secret key of the microprocessor.
- the bus interface unit also reads out a plurality of programs encrypted by respectively different code encryption keys from an external memory.
- a code decryption unit that provides a second decryption function decrypts these plurality of read out programs.
- the instruction execution unit executes these plurality of decrypted programs.
- a random number generation mechanism In the case of interrupting the execution of some program among the plurality of programs, a random number generation mechanism generates a random number as a temporary key.
- the context information encryption/decryption unit writes a first value obtained by encrypting information indicating the execution state of the program to be interrupted by using the random number, a second value obtained by encrypting this random number by using the code encryption key of the program to be interrupted, and a third value obtained by encrypting this random number by using the secret key of the microprocessor, into the external memory as the context information.
- the context information encryption/decryption unit reads out the context information from the external memory, decrypts the random number of the third value contained in the context information by using the secret key, and decrypts the execution state information contained in the context information by using the decrypted random number.
- the random number of the second value contained in the context information is decrypted by using the code encryption key of the program scheduled to be restarted.
- the random number obtained by decrypting the second value by using the code encryption key and the random number obtained by decrypting the third value by using the secret key are compared with the temporary key, and the execution of the program is restarted only when they coincide.
- the context information indicating the state of execution up to an interrupted point is encrypted by using the random number that is generated at each occasion of the storing, and the signature using the secret key unique to the microprocessor is attached, so that the context information can be stored in the external memory safely.
- the microprocessor that is formed as a single chip or a single package reads out a plurality of programs encrypted by using the encryption keys that are different for different programs, and executes them.
- This microprocessor has an internal memory (a register, for example) that cannot be read out to the external, and stores the encrypted attributes for data to be referred from each program (that is the processing target data) and the encrypted attribute specifying information into the register.
- the context information encryption/decryption unit writes a related information that is related to the encrypted attribute specifying information stored in the register and containing a signature unique to the microprocessor, into the external memory.
- a protection table management unit reads the related information from the external memory according to an address of the data to be referred by the program.
- the verification unit verifies the signature contained in the read out related information by using the secret key, and permits the data referring by the program according to the encrypted attribute specifying information and the read out related information only when that signature coincides with the signature unique to the microprocessor.
- the information to be stored in the internal register is attached with the signature and stored into the external memory, and only the necessary portion is read out to the microprocessor.
- the signature is verified at a time of reading, so that the safety against the substitution can be secured. Even when the number of programs to be handled is increased and the number of the encrypted attributes is increased, there is no need to expand the memory region inside the microprocessor so that a cost can be reduced.
- Fig. 1 and Fig. 2 the first example of a tamper resistant microprocessor according to the present invention will be described in detail.
- This first example is directed to a microprocessor for protecting secrets of the program instructions (execution codes) and the context information (execution state) which are to be provided in encrypted forms by using the public key (asymmetric key) cryptosystem, from a user of a target system.
- Fig. 1 shows the target system, where a microprocessor 2101 of the target system is connected to a main memory 2103 through a bus 2102.
- the microprocessor 2101 has a register file 2111, an instruction execution unit 2112, an instruction buffer 2113, a public key descryption function 2114, a secret key register 2115, a common key decryption function 2116, a common key register 2117, a BIU (Bus Interface Unit) 2118, a register buffer 2119, a public key register 2120, an encryption function 2121, a decryption function 2122, and a previous common key register 2123, which will be described in further detail below.
- a program is a set of data and a series of machine language instructions written for some specific purpose.
- the OS is a program for managing resources of the system
- the application is a program to be operated under the resource management of the OS.
- This example presupposes the multi-task system, so that a plurality of application programs will be operated in a quasi parallel manner under the management of the OS.
- Each one of these programs that are operated in the quasi parallel manner will be referred to as a process.
- There are cases where a set of processes for executing the processes for the same purpose will be referred to as a task.
- the instructions and data of the application program are usually stored in files on a secondary memory. They are arranged on a memory by a loader of the OS and executed as a process.
- the execution of the program is often interrupted by an exception (or interruption) processing of the processor caused by input/output or the like.
- a program for carrying out the exception processing will be referred to as an exception handler,
- the exception handler is usually set up by the OS.
- the OS can process an exception request from the hardware, interrupt the operation of the application and restart or start the operation of another application at arbitrary timing.
- the interruptions of the process include transitory cases where the execution of the original process is restarted without switching processes after the execution of the exception handler, and cases requiring the process switching. Examples of the former include a simple timer increment and examples of the latter include a virtual memory processing due to the page exception.
- the object of this example is to protect the program instructions (execution codes) and the execution state from a user of the target system who can freely read the main memory of the target system and freely alter the OS program or application programs.
- the basic features for achieving this object are the access control with respect to the information storage inside the processor and the encryption based on the information listed below.
- This processor is capable of executing a program with coexisting plaintext instructions and encrypted instructions which is placed on the main memory.
- a plaintext program will be described with references to Fig. 1 and a memory arrangement shown in Fig. 2 .
- Fig. 2 shows an entire memory space 2201, in which programs are placed in regions 2202 to 2204 on the main memory, where regions 2202 and 2204 are plaintext regions while a region 2203 is an encrypted region.
- a region 2205 stores a key information to be used in decrypting the region 2203.
- the execution of the program is started as the control is shifted from the OS by an instruction for jump to a top X of the program or the like.
- the instruction execution unit 2112 executes the instruction for jump to X, and outputs an address of the instruction to the BIU 2118,
- the content of the address X is read through the bus 2102, sent from the BIU 2118 to the instruction buffer 2113, and sent to the instruction execution unit 2112 where the instruction is executed. Its operation result is reflected in the register file 2111.
- the operation target is reading/writing with respect to an address on the main memory 2103, its address value is sent to the BIU 2118, that address is outputted from the BIU 2118 to the bus 2102, and data reading/writing with respect to the memory is carried out.
- the instruction buffer 2113 has a capacity for storing two or more instructions, and the instructions corresponding to a size of the instruction buffer 2113 are collectively read out from the main memory 2103.
- the processor of this example has two states including the execution of plaintext instructions and the execution of encrypted instructions, and two types of instructions for controlling these states are provided.
- One is an encryption execution start instruction for making a transition from the execution of plaintext instructions to the execution of encrypted instructions, and another is a plaintext return instruction for making a reverse transition.
- the encryption execution start instruction is denoted by the following mnemonic "execenc" and takes one operand:
- the encrypted region 2203 comprises a sequence of encrypted instructions.
- the instructions are subdivided into blocks in units of a prefetch queue size and encrypted by the secret key algorithm such as DES (Data Encryption Standard) algorithm.
- a key to be used in this encryption will be denoted as Kx hereafter. Since the secret key algorithm is used, the same key Kx is also used for the decryption.
- Kx is placed on the main memory in a plaintext form, a user who can operates the OS of the target system can easily read it and analyze the encrypted program.
- E Kp [Kx] obtained by encrypting Kx by using the public key Kp of the processor will be placed in the region 2205 of the memory. A top address of this region is indicated by "keyaddr".
- Kx Ks corresponding to the public key Kp. Consequently, the secret of the program will never be leaked to the user as long as the user of the target system does not know Ks.
- This Ks is stored in a form that cannot be read out from the external, inside the processor.
- the processor can decrypt Kx internally without allowing the user to learn about it, and the processor can also decrypt the encrypted program by using Kx and execute it.
- the encryption execution start instruction and the subsequent the execution of the encrypted instruction will be described in detail.
- the control is shifted to the encryption execution start instruction at the address "start".
- the content of the specified region 2205 is read out to the instruction execution unit 2112 of the processor as data.
- the instruction execution unit 2112 sends this data E Kp [Kx] to the public key decryption function 2114.
- the public key decryption function 2114 takes out Kx by decrypting E Kp [Kx] by using a secret key Ks unique to the processor which is stored in the secret key register 2115, and stores it in the common key register 2117. Then, the processor enters the encrypted instruction execution state.
- the processor package is manufactured such that the contents stored in the secret key register 2115 and the common key register 2117 cannot be read out to the external by the program or the debugger of the processor chip.
- the key to be used in decrypting the subsequent instructions is stored into the common key register 2117, and the processor is entered into the encrypted instruction execution state.
- the instructions read from the main memory 2103 are sent from the BIU 2118 to a common key decryption function 2116, decrypted by using the key information stored in the common key register 2117 and stored into the instruction buffer 2113.
- the program encrypted by using the key Kx which is stored in the region 2204 next to the encryption execution start instruction will be decrypted, stored in the instruction buffer 2113, and executed.
- the reading is carried out in units of a size of the instruction buffer 2113.
- Fig. 2 shows an exemplary case where the size of the instruction buffer 2113 is 64 bits, and four instructions of 16 bits size each are collectively read out to the instruction buffer 2113.
- the processor in the encrypted instruction execution state returns to the plaintext instruction execution state by the execution of the plaintext return instruction.
- the plaintext return instruction is denoted by the following mnemonic:
- the register file 2111 of this processor has 32 general purpose registers (R0 to R31). R31 is used as a program counter. The contents of the general purpose registers are stored in the register file 2111.
- R31 is used as a program counter.
- the contents of the general purpose registers are stored in the register file 2111.
- the contents of the register file 2111 are moved to the register buffer 2119, and the contents of the register file 2111 are initialized by a prescribed value or a random number.
- the value of the common key used for decryption of the encrypted program is stored in the previous common key register 2123. Only when these two types of initialization are completed, the control is shifted to the exception handler and the instructions of the exception handler are executed. The instructions of the exception handler are assumed to be non-encrypted.
- the register contents stored in the register buffer 2119 cannot be read out directly from the non-encrypted program of the exception handler.
- the non-encrypted program of the exception handler is only allowed to perform the following two operations with respect to the register buffer 2119.
- the case of (2) corresponds to the case where the process switching occurs at a timing of the execution of the exception handler.
- the exception handler or a task dispatcher of the processor issues a "savereg" (save register) instruction for saving the contents of the register buffer 2119 into the memory.
- This "savereg" instruction is denoted by the following mnemonic:
- the contents of the register buffer 2119 and the previous common key register 2123 are encrypted by the encryption function 2121 by using the public key Kp of the processor stored in the public key register 2120, and saves at an address on the main memory 2103 specified by "dest" through the BIU 2118.
- the main memory 2103 is outside the processor so that it has a possibility of being accessed by the user, but these contents are encrypted by the public key of the processor so that the user who does not know the secret key of the processor cannot learn the register buffer contents.
- the OS activates another encrypted program by the method described above. If another encrypted program is activated without saving the register buffer contents, the register buffer contents would be rewritten to those of another encrypted program when the execution of another encrypted program is interrupted, and it would become impossible to restart the original encrypted program as the register buffer contents for the original encrypted program are lost.
- the number of the register buffer is assumed to be one, but it is also possible to provide a plurality of register buffers so as to be able to deal with multiple exceptions.
- rcvrreg recovery register
- the encrypted execution state information is taken out from the address of the memory specified by "addr” by the BIU 2118 of the processor, decrypted by using the secret key Ks of the processor by the decryption function 2122, and the register information is recovered in the register file 2111 while the program decryption key is recovered in the common key register 2117.
- the recovery is completed, the execution of the interrupted program is restarted from a point indicated by the program counter. At this point, the key Kx recovered from the execution state information will be used for decryption of the encrypted program.
- the program that has generated the execution state will be referred to as an original program for that execution state.
- the original program can be restarted by recovering the execution state in the registers.
- programs other than the program that has generated the execution state that is programs encrypted by encryption keys different from that of the original program or plaintext programs, will be referred to as other programs.
- the illegal accesses or the attacks with respect to the execution state generated by some original program are defined as an act of directly analyzing the execution state on the memory by some method independently from the operation of the processor by a third party who does not know the encryption key of the original program, or an act of analyzing the execution state or rewriting the execution state to a desired value by a third party utilizing the other programs operated on the same processor.
- the execution state is protected by the following three types of mechanisms so as to prevent the illegal accesses utilizing the access to the memory external of the processor or the other programs.
- the register information is saved in the register buffer 2119 when the execution of the encrypted program is interrupted. Then, the register buffer 2119 and the previous common key register 2123 cannot be accessed by any methods other than that using the "rcvrreg” instruction or the "savereg” instruction, so that the other programs cannot read their contents freely.
- the register contents at a time of the exception occurrence can be freely read by the exception handler program.
- the register contents are saved in the register buffer 2119 so as to prohibit the reading from the other programs, and the instruction for saving the register buffer contents by encrypting them by using the public key of the processor is provided so as to prevent the peeping of the execution state saved on the memory by the user of the system.
- the second attacking method includes a method for reading values of the registers contained in the execution state by placing the instruction of some other program known to the attacker at the same memory address as the original program such that this other program reads the encrypted execution state.
- the encrypted execution state contains the program encryption key, and this key will be used in decrypting the encrypted program at a time of restart. Because of this mechanism, even when the other program other than the original program attempts to read the execution state, the key for does not match so that the program cannot be decrypted correctly and the program cannot be executed according to the intention of the attacker, Thus the second attacking method is impossible in the microprocessor of this example.
- This effect cannot be realized by simply encrypting the execution state itself by the public key of the processor, but can be realized by encrypting the decryption key of the original program and the execution state integrally.
- values of the registers (R0 to R31) and the common key Kx should preferably be stored in the identical cipher block at a time of the encryption using the public key.
- the encryption of the data is not accounted, but it should be apparent to those skilled in the art that it is possible to add the data encryption function to the microprocessor of this example similarly as the data encryption in the microprocessor for supporting the virtual memory which will be described in the preferred embodiment.
- the microprocessor according to the present invention will be described for an exemplary case of using an architecture based on the widely used Pentium Pro microprocessor of the Intel corporation, but the present invention is not limited to this particular architecture.
- the present invention is not limited to this particular architecture.
- features specific to the Pentium Pro microprocessor architecture will be noted and applications to the other architectures will be mentioned.
- Pentium Pro architecture distinguishes three types of addresses in the address space including physical addresses, linear addresses and logical addresses, but the linear addresses in the Pentium terminology will also be referred to as logical addresses in this embodiment.
- the protection implies the protection of secrets of applications (that is the protection by encryption), unless otherwise stated. Consequently, the protection in this embodiment should be clearly distinguished from the ordinarily used concept of protection, that is the prevention of disturbances on the operations of the other applications due to the operation of some application.
- the operation protection mechanism in the ordinary sense is of course provided by the OS (although the description of this aspect will be omitted as it is unrelated to the present invention), in parallel to the protection of secrets of applications according to the present invention.
- a machine language instructions that are executable by the processor will be referred to as instructions, and a plurality of instructions will be collectively referred to as an execution code or an instruction stream.
- a key used in encrypting the instruction stream will be referred to as the execution code encryption key.
- the secret protection mechanism will be described as protecting secrets of applications under the management of the OS, but this mechanism can also be utilized as a mechanism for protecting the OS itself from alteration or analysis.
- Fig. 3 shows a basic configuration of the microprocessor according to this embodiment
- Fig. 4 shows a detailed configuration of the microprocessor shown in Fig. 3 .
- the microprocessor 101 has a processor core 111, an instruction TLB (Table Lookup Buffer) 121, an exception processing unit 131, a data TLB (Table Lookup Buffer) 141, a secondary cache 152.
- the processor core 111 includes a bus interface unit 112, a code and data encryption/decryption processing unit 113, a primary cache 114, and an instruction execution unit 115.
- the instruction execution unit 115 further includes an instruction fetch/decode unit 214, an instruction table 215, an instruction execution switching unit 216, and an instruction execution completing unit 217.
- the exception processing unit 131 further includes a register file 253, a context information encryption/decryption unit 254, an exception processing unit 255, a secret protection violation detection unit 256, and an execution code encryption key and signature verification unit 257.
- the instruction TLB 121 further includes a page table buffer 230, an execution code decryption key table buffer 231, and a key decryption unit 232.
- the data TLB 141 further includes a protection table management unit 233.
- the microprocessor 101 has a key storage region 241 for storing a public key Kp and a secret key Ks which are unique to this microprocessor.
- the program vendor encrypts the program A by using a common execution code encryption key Kcode (E Kcode [A]) before supplying the execution program A, and sends the common key Kcode used for encryption in a form encrypted by using the public key Kp of the microprocessor 101 (E Kp [Kcode]) to the microprocessor 101.
- the microprocessor 101 is a multi-task processor which processes not only this execution program A but also a plurality of different encrypted programs in a quasi parallel manner (that is by allowing interruptions). Also, the microprocessor 101 obviously executes not only the encrypted programs but also plaintext programs.
- the microprocessor 101 reads out a plurality of programs encrypted by using different execution code encryption keys from a main memory 281 external of the microprocessor 101 through the bus interface unit (reading function) 112.
- the execution code decryption unit 212 decrypts these plurality of read out programs by using respectively corresponding decryption keys, and the instruction execution unit 115 executes these plurality of decrypted programs.
- the context information encryption/decryption unit 254 of the exception processing unit 131 encrypts information indicating the execution state up to an interrupted point of the program to be interrupted and the code encryption key of this program by using the public key of the microprocessor 101, and writes the encrypted information into the main memory 281 as the context information.
- the execution code encryption key and signature verification unit 257 decrypts the encrypted context information by using the secret key of the microprocessor 101, verifies whether the execution code encryption key contained in the decrypted context information (that is the execution code encryptionb key of the program scheduled to be restarted) coincides with the original execution code encryption key of the interrupted program, and restarts the execution of the program only when they coincide.
- the instruction fetch/decode unit 214 attempts to read the content of an address indicated by a program counter (not shown) from an L1 instruction cache 213. If the content of the specified address is cached, the instruction is read out from the L1 instruction cache 213, sent to the instruction table 215, and executed.
- the instruction table 215 is capable of executing a plurality of instructions in parallel, and requests reading of data necessary for carrying out the execution to the instruction execution switching unit 216 and receives the data.
- the execution results are sent to the instruction execution completing unit 217.
- the instruction execution completing unit 217 writes the execution result into the register file 253 when the operation target is a register inside the microprocessor 101, or into an L1 data cache 218 when the operation target is a memory.
- the content of the L1 data cache 218 is cached once again by an L2 cache 152 under the control of the bus interface unit 112, and written into the main memory 281.
- the virtual memory mechanism is used, where a correspondence between the logical memory address and the physical memory address is defined by a page table shown in Fig. 5 .
- the page table is a data structure placed on the physical memory.
- the data TLB 141 actually carries out a conversion from the logical address to the physical address, and at the same time manages the data cache.
- the data TLB 141 reads a necessary portion of the table according to a top address of the table indicated by a register inside the microprocessor 101, and carries out the operation for converting the logical address into the physical address.
- only the necessary portion of the page table is read out to a page table buffer 234 according to the logical address to be accessed, rather than reading out the entire page table on the memory to the data TLB 141.
- the basic cache operation is stable regardless of whether the instructions of the program are encrypted or not. Namely, a part of the page table is read out to the instruction TLB 121, and the address conversion is carried out according to the definition contained therein.
- the bus interface unit 112 reads instructions from the main memory 281 or the L2 cache 152, and instructions are stored in the L1 instruction cache 213. The reading of instructions out to the L1 instruction cache 213 is carried out in units of a line formed by a plurality of words, which enables a faster access than the reading in word units.
- the address conversion utilizing the same page table on the physical memory is also carried out for the processing target data of the executed instructions, and the execution of the conversion is carried out at the data TLB 141 as described above.
- the operation up to this point is basically the same as the general cache memory operation.
- the execution codes for which secrets are to be protected are all encrypted, and the encrypted execution codes will also be referred to as protected codes.
- a range of the protection by the same encryption key will be referred to as a protection domain. Namely, a set of codes protected by the same encryption key is belonging to the same domain, and codes protected by different encryption keys are belonging to different protection domains.
- the execution codes of a program encrypted by the secret key scheme block cipher algorithm are stored on the main memory 281.
- a method for loading the encrypted program transmitted from a program vendor will be mentioned below.
- a cipher block size of the execution codes can be any value as long as two to the power of the block size coincides with a line size that is a unit for reading/writing with respect to the cache memory.
- the block size is so small that a block length coincides with an instruction length, there arises a possibility for analyzing the instruction easily by recording a correspondence between encrypted data and a predictable portion of the instruction such as a top portion of a sub-routine.
- the blocks are interleaved such that there is a mutual dependency among data in the blocks and the encrypted block contains information on a plurality of instruction words or operands. In this way, it is made difficult to set a correspondence between the instruction and the encrypted block.
- Figs. 7A and 7B show an example of the interleaving that can be used in this embodiment.
- the line size of the cache is 32 bytes and the block size is 64 bits (i.e., 8 bytes).
- one word is formed by 4 bytes, so that a word A is formed by 4 bytes of A0 to A3.
- One line is formed by 8 words of A to H.
- A0, B0, ⁇ , H0 are arranged in the first block corresponding to word 0 and word 1, A1, B1, ⁇ , H1 are arranged in the next block, and so on.
- An attack can be made more difficult by setting a length of a region to be interleaved longer, but the interleaving of a region with a length longer than the line size makes the processing more complicated and lowers the processing speed because the decryption/encryption of one cache line would depend on reading/writing of another line.
- the method for interleaving data of blocks is used such that there is a mutual dependency among data in a plurality of blocks contained in the cache line, but it is also possible to use the other method for generating a dependency among data blocks, such as the CBC (Cipher Block Chaining) mode of the block cipher.
- CBC Cipher Block Chaining
- the decryption key Kcode (which will also be referred to as the encryption key hereafter even in the case of decryption because the encryption key and the decryption key are identical in the secret key algorithm) of the encrypted execution codes is determined according to the page table.
- Fig. 5 and Fig. 6 show a table structure of the conversion from the logical address to the physical address.
- a logical address 301 of the program counter indicates some value, and a directory 302 and a table 303 constituting its upper bits specify a page entry 307-j.
- the page entry 307-j contains a key entry ID 307-j-k, and a key entry 309-m to be used for decryption of this page is determined in a key table 309 according to this ID.
- the physical address of the key table 309 is specified by a key table control register 308 inside the microprocessor.
- the ID of the key entry is set in the page entry rather than setting the key information directly, such that the key information in a large size is shared among a plurality of pages so as to save a limited size of a memory region on the instruction TLB 121.
- the page table and key table information is stored into the instruction TLB 121 as follows. Only portions necessary for the access to the memory is read out from the page tables 306, 307 and 311 to the page table buffer 230, and from the key table 309 to the execution code decryption key table buffer 231.
- a reference counter of the key object 309-m which is an element of the key table 309 indicates the number of page tables that refer to this key object.
- this reference counter indicates the number of page tables that refer to this key object and that are read out to the page table buffer 230. This reference counter will be used for judgement at a time of deleting any unnecessary key object from the execution code decryption key table buffer 231.
- the key table entry has a fixed length but a key length used in each table is made variable in order to be able to deal with a higher cryptoanalytic power, and specified at a key size region of the key table. It implies that the secret key Ks unique to the microprocessor 101 is fixed but the length of Kcode to be used for encryption and decryption of the program can be changed by the specification of the key entry.
- the key entry 309-m has a field 309-m-4 pointing to the key entry, which indicates an address of the key object 310.
- the execution code encryption key Kcode is stored in a form E Kp [Kcode] encrypted by the public key algorithm using the public key Kp of the microprocessor 101.
- E Kp [Kcode] encrypted by the public key algorithm using the public key Kp of the microprocessor 101.
- lengths of Ks and Kp are set to be 1024 bits
- a length of Kcode is set to be 64 bits, which is extended to 256 bits by padding
- E[Kcode] is encrypted in a length of 1024 bits and stored in the key object region 310.
- Kcode is so long that it cannot be stored in 1024 bits, it is divided into a plurality of blocks of 1024 bits size each and stored.
- FIG. 8 summarizes the information flow in the code decryption.
- a program counter 501 indicates an address "Addr” on an encrypted code region 502 on a logical address space 502.
- the logical address "Addr” is converted into the physical address "Addr'” according to the page table 307 that is read out to the instruction TLB 121.
- the encrypted code decryption key E[Kcode] is taken out from the key table 309, decrypted by using the secret key Ks provided in the CPU at a decryption function 506, and stored into a current code decryption key memory unit 507.
- the common key Kcode for the code encryption is encrypted by using the public key Kp of the microprocessor 101 by the program vendor, and supplied along with the program encrypted by using Kcode, so that the user who does not know the secret key Ks of the microprocessor 101 cannot know Kcode.
- the program vendor keeps and manages Kcode safely such that its secret will not be leaked to a third party.
- An entire key table 511 and an entire page table 512 are placed in a physical memory 510, and their addresses are specified by a key table register 508 and a CR3 register 509 respectively. From the contents of these entire tables, only necessary portions are cached into the instruction TLB 121 through the bus interface unit 112.
- this page is encrypted so that it is decrypted at a code decryption function 212.
- the reading is carried out in units of the cache line size, and after the decryption in block units, the inverse processing of the interleaving described above is carried out.
- the decrypted result is stored in the L1 instruction cache 213, and executed as an instruction.
- the method for loading the encrypted program and the relocation of the encrypted program will be described.
- a program loader changes an address value contained in the execution codes of the program in order to deal with a change of an address for loading the program, but this method is not applicable to the encrypted program.
- the relocation of the encrypted program is possible by using a method of realizing the relocation without directly rewriting the execution codes by utilizing a table called jump table or IAT (Import Address Table).
- the key decryption processing by using the secret key 241 and the key decryption unit 232 of the instruction TLB 121 is not carried out at a time of data reading into an L1 data cache 218.
- the data reading is carried out with respect to an encrypted page for which an encryption flag 307-j-E is set to "1" in the page table, either non-decrypted original data or data of a prescribed value "0" will be read out, or else an exception occurs such that the normally decrypted data cannot be read out.
- the encryption flag 307-j-E in the page table is rewritten, the decrypted content of the corresponding instruction cache will be invalidated.
- the encrypted execution codes can be executed in this way, in the microprocessor of this embodiment, by selecting the encryption algorithm and parameters appropriately, it can be made cryptographically impossible for a party who does not know the true value of the execution code encryption key Kcode to analyze the operation of the program by de-assembling the execution codes.
- the execution of the program under the multi-task environment is often interrupted by the exception. Normally, when the execution is interrupted, a state in the processor is saved on the memory, and then the original state is recovered at a time of restarting the execution of that program later on. In this way, it becomes possible to execute a plurality of programs in a quasi parallel manner and accept the interruption processing.
- This information on the state at a time of the interruption is called the context information
- the context information contains information on registers used by the application, and in some cases, information on registers that are not explicitly used by the application is also contained in addition.
- the control is shifted to the execution codes of the OS while the register state of the application is maintained, so that the OS can check the register state of that program to guess what instructions were executed, or alter the context information maintained in a plaintext form during the interruption so as to change the operation of the program after the restart of the execution of that program.
- the context of the execution immediately before that is encrypted and saved while all the application registers are either encrypted or initialized, and a signature made by the processor is attached to the context information.
- the signature is verified at a time of recovery from the interruption, to check whether the signature is proper or not.
- the recovery is stopped so that the illegal alteration of the context information by the user can be prevented.
- the encryption target registers are user registers 701 to 720 shown in Fig. 9 .
- TSS Tusk State Segment
- the saving of the context information in conjunction with the exception occurrence takes place in the following case.
- an entry corresponding to the interruption cause is read out from a table called IDT (Interrupt Descriptive Table) for describing the exception processing, and the processing described there is executed.
- IDT Interrupt Descriptive Table
- the context information saved in the indicated TSS is recovered to the processor.
- the context information of the process that has been executed up until then is saved in the TSS region specified by a task register 725 at that point.
- this automatic context saving mechanism it is possible to save the entire state of the application including the program counter and the stack pointer, and detect any alteration at a time of the recovery by verifying the signature.
- this automatic context saving apart from the fact that a large overhead will be caused by the context switching, there arises a problem that it is impossible to carry out the interruption processing without using the TSS.
- the program counter will be saved on the stack and cannot be a target of the verification, so that it can be a target of the alteration by the malicious 0S.
- These two cases should preferably used in their proper ways according to the purpose.
- the microprocessor of this embodiment adopts the automatic context saving with respect to the protected (encrypted) execution codes as a result of attaching more importance to the safety.
- the registers to be automatically saved may not necessarily be all registers.
- the context saving and recovery processing in this embodiment has the following three major features.
- the above feature (2) is effective in preventing a situation where an attacker applies the context generated by the execution of a program A to another encrypted program B and restarts the program B from a known state saved in the context in order to analyze secrets of the data or the codes contained in the program B or alter the operation of the program B.
- This function is also a prerequisite for the data protection to be described below in which each one of a plurality of applications maintains own encrypted data exclusively and independently from the others.
- the reason for providing such a function is that simply encrypting the context information according to the secret information of the processor can protect the context information from the alteration according to the intention of the attacker, but it is impossible to eliminate a possibility for the random alteration of the context that results in the restart of the program from a state with random errors.
- Fig. 10 shows the context saving format in this embodiment conceptually. It is assumed that the interruption due to the hardware or software related cause has occurred during the execution of the protected program. If the IDT entry corresponding to the interruption indicates a TSS, the execution state of the program up to that point is encrypted, and saved as the context information in a TSS indicated by the current task register 725 (rather than the indicated TSS itself). Then, the execution state saved in the TSS indicated by the IDT entry is recovered to the processor. If the IDT entry does not indicate a TSS, only the encryption or the initialization of the current registers is carried out, and the saving into the TSS does not takes place. Of course the restart of that program becomes impossible in that case. Note however that the system registers including a part of the flag registers and the task register are excluded from a target of the encryption or the initialization of the registers for the sake of continuation of the OS operation.
- Fig. 10 The contents of the context shown in Fig. 10 are actually interleaved, encrypted in block units and stored in the memory.
- the information items to be saved will be described first.
- stack pointers and user registers 802 to 825 corresponding to respective privileged modes are provided, and one word 826 indicating a TSS size and the presence/absence of the encryption is placed next. This indicates whether the TSS in which the processor is saved is encrypted or not. Even in the case where the TSS is encrypted, this region will be maintained in a plaintext form without being encrypted.
- data encryption control register (CYO to CY3) regions 827 to 830 that are added for the purpose of the data protection are placed, and a padding 831 for adjusting the size to the block length is placed.
- a region 801 for a link to the previous task that maintains a call up relationship among tasks is saved in a plaintext form in order to enable the task scheduling by the OS.
- execution code encryption and signature generation are carried out by the context information encryption/decryption unit 254 in the exception processing unit 131 shown in Fig. 4 , which is based on a function independent from the encryption of the processing target data of the execution codes.
- the context information encryption/decryption unit 254 is based on a function independent from the encryption of the processing target data of the execution codes.
- a word in the TSS size region 826 to be recorded in a plaintext form is replaced to a value "0".
- the interleaving similar to that explained with references to Figs. 7A and 7B is applied, and the context is encrypted.
- the padding 831 is set to a size that enables the appropriate interleaving in accordance with the encryption block size.
- the reason for not encrypting the register values directly by the public key Kp of the processor or the execution code encryption key Kcode is to enable the analysis of the encrypted context by both the program vendor and the processor while prohibiting the decryption of the context by the user.
- the program vendor knows the execution code encryption key Kcode so that the program vendor can obtain the encryption key Kr of the context by decrypting E Kcode [Kr] 832 by using Kcode. Also, the microprocessor 101 can obtain the encryption key Kr of the context by decrypting E Kp [Kr] 833 by using the own secret key Ks. Namely, the program vendor can analyze the trouble by decrypting the context information without knowing the secret key of the microprocessor of the user, and the microprocessor 101 itself can restart the execution by decrypting the context information by using the own secret key Ks. The user who does not have either key cannot decrypt the saved context information. Also, the user who does not know the secret key Ks of the microprocessor 101 cannot forge the context information and the signature S Ks [message] with respect to E Kcode [Kr] and E Kp [Kr].
- a random number Kr is generated at a random number generation mechanism 252 of the exception processing unit 131 at each occasion of the context saving, and supplied to the context information encryption/decryption unit 254.
- the context information encryption/decryption unit 254 encrypts the context by the secret key algorithm using the random number Kr.
- E Kcode [Kr] 832 in which the random number Kr is encrypted by the same secret key algorithm using the execution code encryption key Kcode is attached.
- the value E Kp [Kr] 833 is obtained by encrypting the random number Kr by the public key algorithm using the public key Kp of the microprocessor.
- the random number is generated by the random number generation mechanism 252.
- the program is encrypted, normally there is no change in the program codes so that the corresponding plaintext codes cannot be acquired illegally as long as the operation is not analyzed.
- the data entered by the user are to be stored into the memory by encrypting them, the user can freely select the input data. For this reason, it is possible for the user to make the "chosen-plaintext attack" against the encryption key which is far more effective than the "ciphertext-only attack".
- the random number generation mechanism 252 generates the random number (encryption key) for encrypting the context at each occasion of the context saving.
- the encryption key can be selected arbitrarily, there is also an effect that the safe communications between processes or between processes and devices can be realized faster. This is because the speed for encrypting data by the hardware at a time of the memory access is far slower in general than the speed for encrypting data by the software.
- the value of the encryption key for the data region is limited to a prescribed value such as that identical to the execution code encryption key for example, then it becomes impossible to use the data encryption function of the processor for the other programs encrypted by the other encryption keys or the sharing of the encrypted data with the devices, so that it becomes impossible to take advantage of the fast hardware encryption function provided in the processor.
- the decryption of the encrypted random number E Kcode [Kr] 832 that takes place at a time of the restart and the generation of the signature 834 can be based on any algorithm and secret information as long as a condition that they can be carried out only by the microprocessor 101 is satisfied.
- the secret key Ks unique to the microprocessor 101 (which is also used for the decryption of the execution code encryption key Kcode) is used for both, but respectively different values may be used for these purposes.
- the saved context contains a flag indicating the presence/absence of the encryption, so that the encrypted context information and the non-encrypted context information can coexist according to the need.
- the TSS size and the flag indicating the presence/absence of the encryption are stored in a plaintext form so that it is easy to maintain the compatibility with respect to the past programs.
- the OS issues a jump or call instruction with respect to a TSS descriptor indicating the saved TSS.
- the execution code encryption key and signature verification unit 257 if the exception processing unit 131 verifies the signature S Ks [message] 834 by using the secret key Ks of the processor first, and sends the verification result to the exception processing unit 255.
- the exception processing unit 255 stops the restart of the execution of the program, and causes the exception.
- the context information encryption/decryption unit 254 obtains the random number Kr by decrypting the context encryption key E Kp [Kr] 833 by using the secret key Ks.
- the execution code encryption key Kcode corresponding to the program counter (EIP) 809 is taken out from the page table buffer 230, and sent to the current code encryption key memory unit 251.
- the context information encryption/decryption unit 254 decrypts E Kcode [Kr] by using the execution code decryption key Kcode, and sends the result to the execution code encryption key and signature verification unit 257.
- the execution code encryption key and signature verification unit 257 verifies whether the decryption result of E Kcode [Kr] 832 coincides with the decryption result of the microprocessor using the secret key Ks or not. By this verification, it is possible to confirm that this context information is generated by the execution of the execution codes encrypted by using the secret key Kcode.
- This object can also be achieved by adding a secret execution code encryption key Kcode to the context information, but in this embodiment, by the use of the value E Kcode [Kr] in which a secret random number Kr used in encrypting the context information is encrypted by using the execution code encryption key Kcode selected by the program vendor, it is possible to reduce the amount of memory required for saving the context information so as to achieve the effects of the fast context switching and the memory saving. This also enables the feedback of the context information to the program creator.
- an exception occurrence address indicates an address at which the jump or call instruction is issued. Also, a value indicating illegality of the TSS is stored into an interruption cause field in the IDT table, and an address of a jump target TSS is stored into a register that stores an address that is the cause of the interruption. In this way, the OS can learn the cause of the context switching failure.
- the analysis of the context information by the program vendor is important in improving the quality of the program by analyzing the causes of any trouble in the program that occurred according to a condition by which the program is used by the user.
- the above described scheme for realizing both the safety of the context and the capability of the context information analysis by the program vendor is employed, but it is also true that the use of this scheme increases the overhead of the context saving.
- the verification of the context information by using the signature made by the microprocessor prevents the execution of the protected codes in the illegal context information by using a combination of arbitrarily selected value and encryption key, but this additional protection also increases the overhead.
- the context information containing information for identifying the execution code encryption key may be directly encrypted by using the secret key of the processor. Even in such a case, it is still possible to make the intentional alteration of the context cryptographically impossible, and prevent the context information from being applied to a program encrypted by using a different encryption key.
- an "R" bit 825-1 is a bit indicating whether the context is restartable or not.
- this bit is set to "1"
- the execution can be restarted by recovering the state saved in the context by the above described recovery procedure, whereas when this bit is set to "0", the restart cannot be made. This has an effect of preventing the restart of the context in which the illegality is detected during the execution of the encrypted program so as to limit the restartable contexts to only those in the proper states.
- a "U” bit 825-2 is a flag indicating whether the TSS is a user TSS or a system TSS. When this bit is set to "0", the saved TSS is the system TSS, and when this bit is set to "1", the saved TSS is the user TSS.
- the TSS that will be saved and recovered through the task switching accompanied by the change of the privilege from the exception entry as described above or through a task gate call up is the system TSS.
- the difference between the system TSS and the user TSS lies in whether a task register indicating a TSS saving location of the currently executed program is to be updated or not at a time of the recovery of the TSS.
- the task register of the currently executed program will be saved in the link to the previous task region 801 of the TSS to be newly recovered, and the segment selector of the new TSS will be read into the task register.
- the update of the task register value will not be carried out.
- the user TSS is aimed only at the saving and the recovery of the register state of the program so that it is not accompanied by the change of the privileged mode.
- the exception includes a software interrupt used for the system call up from the application program.
- the general purpose register is often used for the parameter exchange, and there can be cases where the context information encryption can obstruct the parameter exchange.
- the software interrupt is generated by the application itself, so that it is possible for the application to destroy information of the registers that have secrets, prior to the generation of the software interrupt. Under the presumption of such conditions, it is possible to use a scheme in which the encryption of the registers is not carried out only in the case of the software interrupt. Of course, in such a case, the application program creator should take this fact into consideration and design the program such that the secrets of the program can be protected.
- the processor has a step execution function which causes the interruption whenever one instruction is executed, and a debugging function which causes the exception whenever a memory access with respect to a specific address is made.
- steps execution function which causes the interruption whenever one instruction is executed
- debugging function which causes the exception whenever a memory access with respect to a specific address is made.
- the instruction TLB 121 can judge whether the currently executed code is protected or not (encrypted or not). During the execution of the protected code, two debugging functions including a debug register function and a step execution function are prohibited in order to prevent an intrusion of the encrypted program analysis from a debug flag or a debug register.
- the debug register function is a function in which a memory access range and an access type such as reading/writing as the execution code or data are set in advance into a debug register provided in the processor such that the interruption is caused whenever a corresponding memory access occurs.
- the contents set in the debug register will be ignored so that the interruption for the purpose of the debugging will not occur. Note however that the case where a debug bit is set in the page table is excluded from this rule. The debug bit in the page table will be described later.
- the interruption will be caused whenever one instruction is executed if a step execution bit in an EFLAGS register of the processor is set, but during the execution of the protected code, this bit will also be ignored so that the interruption will not occur.
- these functions make the analysis of the program by the user difficult by preventing the dynamic analysis of the program using the debug register or the debug flag.
- the encryption attributes for protecting data are defined in four registers CY0 to CY3 that are provided inside the microprocessor 101. They correspond to regions 717 to 720 shown in Fig. 9 . In Fig. 9 , details of the registers CY0 to CY2 are omitted, and only details of the register CY3 are shown.
- CY0 is given the highest priority
- CY1 to CY3 are given sequentially lower priorities in this order.
- the attributes of CY0 are given the priority over those of CY1 in that region.
- the definition of the page table is given the highest priority in the case of a memory access as the execution code rather than as the processing target data.
- a debug bit 717-4 is used in selecting whether the data operation in the debugging state is to be carried out in an encrypted state or in a plaintext state. Details of the debug bit will be described later.
- Fig. 12 shows the information flow in the encryption/decryption of the processing target data of the execution codes.
- the data protection is made only in the state where the code is protected, that is the code is executed in an encrypted state. Note however that the case where the code is executed in the debugging state to be described below will be excluded from this rule.
- the contents of the data encryption control registers (which will be also referred to as the encryption attribute registers or the data protection attribute registers) CY0 to CY3 are read from the register file 253 shown in Fig. 4 to a data encryption key table 236 provided inside the data TLB 141.
- the data TLB 141 judges whether the logical address "Addr" is contained in ranges of CY0 to CY3 or not by checking the data encryption key table 236 (see Fig. 4 ). As a result of the judgement, if the encryption attribute is specified, the data TLB 141 commands the code encryption function 212 to encrypt the memory content by the specified encryption key at a time of the memory writing of a corresponding cache line from the L1 data cache 218 to the memory.
- the data TLB 141 commands the data decryption function 219 to decrypt the data by the specified encryption key at a time of the reading of a cache line out to the corresponding L1 data cache 218.
- the data encryption attributes are protected from the illegal rewriting including the privilege of the OS by placing all the data encryption attributes for the data encryption in the registers inside the microprocessor 101 and saving the contents of the registers at a time of the execution interruption as the context information in a safe form into a memory (the main memory 281 of Fig. 4 , for example) external of the microprocessor 101.
- the data encryption/decryption is carried out in units of the cache line that is interleaved as described above in relation to the context encryption. For this reason, even when one bit of the data on the L1 cache 114 is rewritten, the other bits in the cache line will be rewritten on the memory.
- the execution of the data reading/writing is carried out collectively in units of the cache line, so that the increase of the overhead is not so large, but it should be noted that the reading/writing with respect to the encrypted memory regions cannot be carried out in units less than or equal to the cache line size.
- the program is identified by its encryption key. This identification is made by using a key object identifier used at a time of decrypting the currently executed instruction inside the processor.
- a value of the key itself may be used for this identification, but a value of the execution code decryption key has a rather large size of 1024 bits before the decryption or of 128 bits after the decryption which would require an increase of the hardware size, so that the key object identifier which has a total length of only 10 bits is used.
- the L1 instruction cache 213 in which the decrypted execution codes are to be stored has an attribute memories in correspondences to the cache lines.
- the key object identifier is written into the attribute memory.
- the contents of the data protection attribute registers CY0 to CY3 are read out from the register file 253 to a protection table management function 233 of the data TLB 141.
- the key object identifier corresponding to the currently executed instruction is also read from the current code encryption key memory unit 251 at the same time and maintained in the protection table management function 233.
- the data cache 218 has attribute memories in correspondence to the cache lines.
- the key object identifier is written into the attribute memory from the protection table management function 233.
- the key object identifier written in the attribute of the data cache and the key object of that instruction in the instruction cache are compared by the secret protection violation detection unit 256. If they do not coincide, the exception of the secret protection violation occurs and the data referring fails. In the case where the attribute of the data cache indicates a plaintext, the data referring always succeeds.
- data generated by some program-1 can be protected from being referred by another program-2 by providing a function for maintaining attributes of the instruction to be executed and the data indicating programs to which they originally belong, and comparing the attributes to see if they coincide or not at a time of the data referring due to the instruction execution.
- the cases where the control can be shifted from the non-protected code to the protected code are limited only to the following two cases:
- the above (2) is a processing for prohibiting a transition to the execution of the protected code unless a special instruction called entry gate (“egate”) instruction is executed at the beginning of the control in the case of shifting the control from the non-protected code to the protected code.
- egate entry gate
- Fig. 11 shows a procedure for switching a protection domain based on the entry gate instruction.
- the microprocessor 101 is maintaining the encryption key of the currently executed code in the current code encryption key memory unit 251 (see Fig. 4 ) of the exception processing unit 131.
- egate entry gate
- step 602 N0 when it is judged as not an entry gate instruction (step 602 N0), it implies that the interrupted instruction is an improper instruction. In this case, whether the instruction that was executed immediately previously is an encrypted (protected) instruction or not is judged (step 603). If it is a non-protected instruction, the exception processing can take place directly, but if it is a protected instruction, there is a need to carry out the exception processing while protecting that instruction.
- step 603 NO when it is judged as a non-protected instruction (step 603 NO), the exception processing is carried out directly, whereas when it is judged as a protected instruction (step 6003 YES), the non-restartable exception processing is carried out while maintaining the protected state.
- the initialization of the data protection attribute registers is carried out.
- a random number Kr is loaded into a key region (a region 717-5 in CY3) of the data protection attribute registers CY0 to CY3 717 to 720 shown in Fig. 9
- the encryption target top address is set to "0"
- the size is set to an upper limit of the memory, and the entire logical address space is set as the encryption target. If the debug attribute is not set in the execution code, the debug bit (717-3 in CY3) is set as non-debugging.
- a protected program to be newly executed is set to be always encrypted by using a key determined randomly at a time of the start of all the memory accesses.
- the program carries out the processing by sequentially adjusting its own processing environment by setting the data protection attribute registers such that the necessary memory region can be converted into plaintext so that it becomes accessible.
- the register CY3 With a lowest priority in the initial setting of being encrypted by using the random number, while setting the encryption key "0" as the plaintext access setting for the other registers, it is possible to reduce a risk of accessing an unnecessary region as a plaintext and writing data to be kept in secret by encryption out to a plaintext region by error.
- the contents of the registers other than the data protection attribute registers are not encrypted even in the initialization at the entry gate, and pointers for specifying locations of stacks or parameters can be stored therein. However, cares should be taken in the processing of the program to be executed through the entry gate so that secrets of the program will not be stolen by calling up the entry gate by setting illegal values into the registers.
- the fragmental execution of the protected code is prevented, as the first instruction to be executed at a time of shifting the control from the program in the plaintext state to the protected program is limited to the entry gate instruction and the registers including the data protection attribute registers are initialized by the execution of the entry gate instruction.
- the execution of the code 1101 in the protection domain is started as a thread 1121 outside the protection domain is branched into an "egate" (entry gate) instruction of the protection domain.
- "egate" entity gate
- all the registers are initialized, and then the data protection attributes are set up sequentially by the execution of the program.
- the control is shifted to a branch target "xxx" 1111 in the protection domain by a "jmp xxx” instruction (processing 1122), and a "call yyy” instruction located at an address "ppp" 1112 is executed (processing 1123).
- the calling source address "ppp" 1112 is pushed into a stack memory 1102, and the control is shifted to a call target "yyy” 1113.
- the control is shifted to a return address "ppp" 1112 in the stack.
- Fig. 14 shows the call up and the branching from a protection domain to a non-protected domain conceptually, where an execution code 1201 of the protection domain and an execution code 1202 of the non-protection domain are placed in respective domains. Also, a user TSS region 1203 and a region 1204 for exchanging parameters with the non-protection domain are provided.
- the execution begins when a thread 1221 executes the "egate" instruction.
- the program of the protection domain saves the address of the user TSS region 1203 in a prescribed parameter region 1204 before calling up the code of the non-protection domain. Then, the code of the non-protection domain is called up by executing the "ecall" instruction.
- the "ecall" instruction takes two operands. One is a call target address, and the other is a saving target of the execution state.
- the "ecall” instruction saves the register state at a time of the call up (or more accurately the register state when the program counter is in a state after the "ecall” instruction is issued) into a region specified by the operand "uTSS", in a format similar to that in the case of the encrypted TSS described above. In the following, this region will be referred to as a user TSS.
- the difference between the user TSS and the system TSS lies in that, in the user register shown in Fig. 10 , a U flag is set in a region 825-2 on the TSS.
- the difference in the operation will be described later.
- the data protection attributes defined in the data protection attribute registers CY0 to CY3 by the user are not applied, similarly as in the case of the saving of the context information into the system TSS.
- the call target code of the non-protection domain cannot exchange parameters because the registers are initialized by the execution of the "ecall" instruction. For this reason, the parameters are acquired from a prescribed address "param” 1204, and the necessary processing is carried out.
- a sub-routine "qqq” 1213 is called up (processing 1225).
- the call up from the protection domain can be adapted to the call up semantics of the sub-routine "qqq” by placing an adaptor code for copying stack pointer setting and the parameters to the stack, between "exx" and the call up of "qqq", for example.
- the processing result is sent to the calling source through the parameter region 1204 on the memory (processing 1226).
- a "sret" instruction is issued in order to return the control to the calling source protection domain (processing 1227).
- the "sret" instruction takes one operand for specifying the user TSS, unlike the "ret” instruction that has no operand.
- the user TSS 1203 is specified indirectly as the recovery information through a pointer stored in the parameter region "param” 1204.
- the recovery of the user TSS by the "sret” instruction largely differs from the recovery of the system TSS in that the task register is not affected at all even when the user TSS is recovered. The task link field of the user TSS will be ignored. The recovery will fail when the system TSS with the U flag 825-2 set to "0" is specified in the operand of the "sret” instruction.
- an "ejmp” instruction is used.
- the "ejmp” instruction does not carry out the saving of the state, unlike the "ecall” instruction. If the control is shifted from the protection domain to the non-protection domain by the instruction other than "ecall” and "ejmp", such as "jmp" or "call", the exception of the secret protection violation occurs and the encrypted context information is saved in the TSS region (a region indicated by the task register) of the system. Note that the context information will be marked as non-restartable at this point. Note also that specifying an address in the protection domain as a jumping target of the "ejmp" instruction does not cause the violation.
- the interchangeable TSS information in such a case is only the context information whose execution is always started through the "egate" and which is saved by the saving of the execution state caused by the interruption or by the user explicitly, as long as the execution code encryption key of the protection domain is managed correctly.
- a possibility for the leakage of the secrets of the application due to the interchange of this context information is quite small, and it is quite difficult for an attacker to guess what kind of the context information interchange is necessary in acquiring the secrets of the application.
- the procedure for call up from the protection domain to the non-protection domain described above is also applicable to a procedure for shifting the control between the protection domains, if the instruction to be executed first at the call target is the "egate" instruction of the calling source side.
- the call up between the protection domains can be carried out safely by encrypting the region for exchanging parameters between these protection domains, by using an encryption key that is shared by carrying out the authentication key exchange between these protection domains in advance.
- the microprocessor of the present invention it becomes possible to prevent the illegal analysis by the OS or a third party by protecting both the execution codes and the processing target data of the execution codes by using the encryption, under the multi-task environment.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Remote Sensing (AREA)
- Radar, Positioning & Navigation (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Description
- The present invention relates to a microprocessor that can prevent illegal alternation of execution codes and processing target data under a multi-task program execution environment.
- In recent years, the performance of a microprocessor has improved considerably such that the microprocessor is capable of realizing reproduction and editing of video images and audio sounds, in addition to the conventional functions such as computations and graphics. By implementing such a microprocessor in a system designed for end-user (which will be referred to as PC hereafter), the users can enjoy various video images and audio sounds on monitors. Also, by combing the function for reproducing video images and audio sounds with the computational power of the PC, the applicability to games or the like can be improved. Such a microprocessor is not designed for any specific hardware and can be implemented in a variety of hardwares so that there is an advantage that the users who already possess PCs can enjoy reproduction and editing of video images and audio sounds inexpensively by simply changing a microprocessor for executing programs.
- In the case of handling video images and audio sounds on PCs, there arises a problem of a protection of the copyright of original images or music. In the MD or digital video playback devices, unlimited copies can be prevented by implementing a mechanism for preventing the illegal copying in these devices in advance. It is rather rare to attempt the illegal copying by disassembling and altering these devices, and even if such devices are made, there is a worldwide trend for prohibiting the manufacturing and sales of devices altered for the purpose of illegal copying by laws. Consequently, damages due to the hardware based illegal copying are not very serious.
- However, image data and music data are actually processed on the PC by the software rather than the hardware, and the end-user can freely alter the software on the PC. Namely, if the user has some level of knowledge, it is quite feasible to carry out the illegal copying by analyzing programs and rewriting the executable software. In addition, there is a problem that the software for illegal copying so produced can be spread very quickly through media such as networks, unlike the hardware.
- In order to resolve these problems, conventionally a PC software to be used for reproducing copyright protected contents such as commercial films or music has employed a technique for preventing analysis and alternation by encrypting the software. This technique is known as a tamper resistant software (see David Aucsmith et al., "Tamper Resistant Software: An Implementation", Proceedings of the 1996 Intel Software Developer's Conference).
- The tamper resistant software technique is also effective in preventing illegal copying of valuable information including not only video and audio data but also text and know-how that is to be provided to a user through the PC, and protecting know-how contained in the PC software itself from analysis.
- However, the tamper resistant software technique is a technique which makes analysis using tools such as de-assembler or debugger difficult by encrypting a portion of the program that requires protection before the execution of the program starts, decrypting that portion immediately before executing that portion and encrypting that portion again immediately after the execution of that portion is completed. Consequently, as along as the program is executable by a processor, it is always possible to analyze the program by carrying out the analysis step by step starting from the start of the program.
- This fact has been an obstacle for a copyright owner to provide copyright protected contents to a system for reproducing video and audio data using the PC.
- The other tamper resistant software applications are also vulnerable in this regard, and this fact has been an obstacle to a sophisticated information server through the PC and an application of a program containing know-how of an enterprise or individual to the PC.
- These are problems that equally apply to the software protection in general, but in addition, the PC is an open platform so that there is also a problem of an attack by altering the operating system (OS) which is intended to be a basis of the system's software configuration. Namely, a skilled and malicious user can alter the OS of his own PC to invalidate or analyze the copyright protection mechanisms incorporated in application programs by utilizing privileges given to the OS.
- The current OS realizes the management of resources under the control of the computer and the arbitration of their uses by utilizing a privileged operation function with respect to a memory and an execution control function provided in CPU. Targets of the management include the conventional targets such as devices, CPU and memory resources, as well as QoS (Quality of Service) at network or application level. Nevertheless, the basics of the resource management are still allocations of resources necessary for the execution of a program. Namely, an allocation of a CPU time to the execution of that program and an allocation of a memory space necessary for the execution are the besics of the resource management. The control of the other devices, network and application QoS is realized by controlling the execution of a program that makes accesses to these resources (by allocating a CPU time and a memory space).
- The OS has privileges for carrying out the CPU time allocation and the memory space allocation. Namely, the OS has a privilege for interrupting and restarting an application program at arbitrary timing and a privilege to move a content of a memory space allocated to an application program to a memory of a different hierarchical level at arbitrary timing, in order to carry out the CPU time allocation. The latter privilege is also used for the purpose of providing a flat memory space to the application by concealing (normally) hierarchical memory systems with different access speeds and capacities from the application.
- Using these two privileges, the OS can interrupt an execution state of the application and take a snap shot of it at arbitrary timing, and restart it after making a copy of it or rewriting it. This function can also be used as a tool for analyzing secrets hidden in the application.
- In order to prevent an analysis of the application on a computer, there are several known techniques for encrypting programs or data (Hampson,
U.S. Patent No. 4,847,902 ;Hartman, U.S. Patent No. 5,224,166 ;Davis, U.S. Patent No. 5,806,706 ;Takahashi et al., U.S. Patent No. 5,825,878 ;Buer et al., U.S. Patent No. 6,003,117 ; Japanese Patent Application Laid Open No.11-282667 (1999 - The conventional technique based on the x86 architecture of Intel Corporation (
Hartman, U.S. Patent No. 5,224,166 ) is a technique for storing the execution codes and data by encrypting them by using a prescribed encryption key Kx. The encryption key Kx is given in a form of EKr[Kx] which is encrypted by using a public key Kp corresponding to a secret key Ks embedded in a processor. Consequently, only the processor that knows Ks can decrypt the encrypted execution codes on a memory. The encryption key Kx is stored in a register inside the processor called a segment register. - Using this mechanism, it is possible to protect the secrecy of the program codes from the user to some extent by encrypting the codes. Also, it becomes cryptographically difficult for a person who does not know the encryption key Kx of the codes to alter the codes according to his intention or newly produce codes that are executable when decrypted by using the encryption key Kx.
- However, the system employing this technique has a drawback in that the analysis of the program becomes possible by utilizing a privilege of the OS called a context switching, without decrypting the encrypted execution codes.
- More specifically, when the execution of the program is stopped by the interruption or when the program voluntarily calls up a software interruption command due to the system call up, the OS carries out the context switching for the purpose of the execution of the other program. The context switching is an operation to store an execution state (which will be referred to as a context information hereafter) of the program indicating a set of register values at that point into a memory, and restoring the context information of another program stored in the memory in advance into the registers.
-
Fig. 15 shows the conventional context storing format used in the x86 processor. All the contents of the registers used by the application are contained here. The context information of the interrupted program is restored into the registers when the program is restarted. The context switching is an indispensable function in order to operate a plurality of programs in parallel. In the conventional technique, the OS can read the register values at a time of the context switching, so that it is possible to guess most of the operations made by the programs if not all, according to how the execution state of that program has changed. - In addition, by controlling a timing at which the exception occurs by setting of a timer or the like, it is possible to carry out this processing at arbitrary execution point of the program. Apart from the interruption of the execution and the analysis, it is also possible to rewrite the register information by malicious intention. The rewriting of the registers can not only change the operation of the program but also make the program analysis easier. The OS can store arbitrary state of the application so that it is possible to analyze the operation of the program by rewriting the register values and operating the program repeatedly. In addition to the above described functions, the processor has a debugging support function such as a stepwise execution, and there has been a problem that the OS can analyze the application by utilizing all these functions.
- As far as data are concerned,
U.S. Patent No. 5,224,166 asserts that the program can access the encrypted data only by the program execution using the encrypted code segment. Here, there is a problem that the encrypted data can be freely read by the encrypted program by using arbitrary key, regardless of the encryption key by which the program is encrypted, even when there are programs encrypted by using mutually different encryption keys. This conventional technique does not account for the case where the OS and the application have their own secrets independently and the secret of the application is to be protected from the OS or a plurality of program providers have their own secrets separately. - Of course, it is possible to separate memory spaces among the applications and to prohibit accesses to a system memory by the applications by the protection function provided in the virtual memory mechanism even in the existing processor. However, as long as the virtual memory mechanism is under the management of the OS, the protection of the secret of the application cannot rely on the function under the management of the OS. This is because the OS can access data by ignoring the protection mechanism, and this privilege is indispensable in providing the virtual memory function as described above.
- As another conventional technique, Japanese Patent Application Laid Open No.
11-282667 (1999 - Also, in
U.S. Patent No. 5,123,045, Ostrovsky et al . disclose a system that presupposes the use of sub-processors having unique secret keys corresponding to the applications, in which the operation of the program cannot be guessed from the access pattern by which these sub-processors are accessing programs placed on a main memory. This is based on a mechanism for carrying out random memory accesses by converting the instruction system for carrying out operations with respect to the memory into another instruction system different from that. - However, this technique requires different sub-processors for different applications so that it requires a high cost, and the implementation and fast realization of the compiler and processor hardware for processing such instruction system are expected to be very difficult as they are quite different from those of the currently used processors. Besides that, in this type of processor, it becomes difficult to comprehend correspondences among the data contents and the operations even when the data and the operations of the actually operated codes are observed and traced so that the debugging of the program becomes very difficult, and therefore this technique has many practical problems, compared with the other conventional techniques described above in which the program codes and the data are simply encrypted, such as those of
U.S. Patent No. 5,224,166 and Japanese Patent Application Laid Open No.11-282667 -
US Patent 4558176 discloses a computer system for inhibiting unauthorized copying and usage, and automated cracking of protected software, comprising a context information saving unit and a restart unit; the state of a CPU can be saved in the external memory. - Markus Kuhn: The discloses a microprocessor halving a unique secret key and a unique public key corresponding to the unique secret key that cannot be read out to external, comprising: a reading unit configured to read out a plurality of programs encrypted by using different execution code encryption keys from an external memory; a decryption unit configured to decrypt the plurality of programs read out by the reading unit by using respective decryption keys; an execution unit configured to execute the plurality of programs decrypted by the decryption unit, a context information saving unit configured to save a context information for one program whose execution is to be interrupted, into a context information memory provided inside the microprocessor, or encrypt the context information and save the encrypted context into the external memory, the context information containing information indicating an execution state of the one program; and a restart unit configured to restart an execution of the one program by reading out the context information from the context information memory, and recovering the execution state of the one program from the context information, or reading the encrypted context information from external memory, decrypting the encrypted context information, and recovering the execution state of the one program from the decrypted context information.
- The present invention provides a microprocessor as defined in
Claim 1. - The present invention can provide a microprocessor capable of surely protecting both the internally executed algorithm and the data state inside a memory region from illegal analysis in the multi-task environment even when the execution is stopped by the interruption.
- This is an improvement on conventional techniques that are capable of protecting values of the program codes but are incapable of preventing the analysis utilizing the interruption of the program execution by the exception occurrence or the debugging function. Thus the microprocessor is preferably capable of surely protecting the codes even at a time of the program execution interruption, in which this protection is compatible with both the execution control function and the memory management function required by the current OS.
- The invention can also provide a microprocessor in which each program can secure a correctly readable/writable data region independently even when a plurality of programs encrypted by using different encryption keys are to be executed.
- This is an improvement on the conventional technique of
U.S. Patent No. 5,224,166 which only provides a simple protection in which accesses to the encrypted data region by non-encrypted codes are prohibited, and it has been impossible for a plurality of programs to protect their own secrets independently. Thus the microprocessor preferably has a data region for protecting the secret of each application from the OS when a plurality of applications have their respective (encrypted) secrets. - The invention can also provide a microprocessor capable of protecting the protected attributes (i.e., encrypted attributed) of the above-described data region from illegal rewriting by the OS.
- This is an improvement on the conventional technique of
U.S. Patent No. 5,224,166 which has a drawback in that the OS can rewrite the encrypted attributes set in the segment register by interrupting the execution of the program using the context switching. Once the program is put in a state where data are written in a form of plain text by rewriting the encrypted attributes, data will not be written into a memory without encryption. Even if the application checks the segment register value at some timing, the result is the same if the register value is rewritten after that. Thus the microprocessor is preferably provided with a mechanism which is capable of prohibiting such an alteration or detecting such an alteration and taking appropriate measure against such an alteration. - The invention can also provide a microprocessor capable of protecting the encrypted attributes from the so-called chosen plain text attack of the cryptoanalysis theory, in which the program can use arbitrary value as the data encryption key.
- The invention can also provide a microprocessor provided with a mechanism for the program debugging and feedback. Namely, the debugging of the program is preferably carried out in plain text and the feedback of information on defects is preferably provided to a program code provider (program vendor) in the case of the execution failure.
- The microprocessor is preferably capable of achieving these improvements in a form that realizes both a low cost and a high performance.
- In order to achieve the first improvement, the microprocessor which is formed as a single chip or a single package reads a plurality of programs encrypted by using code encryption keys that are different for different programs, from a memory (a main memory, for example) external of the microprocessor through a bus interface unit that provides a reading function. A decryption unit decrypts these plurality of read out programs by using respectively corresponding decryption keys, and an instruction execution unit executes these plurality of decrypted programs.
- In the case of interrupting the execution of some program among the plurality of programs, a context information encryption/decryption unit that provides an execution state writing function encrypts information indicating a state of execution up to an interrupted point of the program to be interrupted and the code encryption key of this program, by using an encryption key unique to the microprocessor, and writes the encrypted information as a context information into a memory external of the microprocessor.
- In the case of restarting the interrupted program, a verification unit that provides a restarting function decrypts the encrypted context information by using a unique decryption key corresponding to the unique encryption key of the microprocessor, and restarts the execution of the program only when the code encryption key contained in the decrypted context information (that is the code encryption key of the program scheduled to be restarted) coincides with the original code encryption key of the interrupted program.
- In addition, in order to achieve the second and third improvements, the microprocessor also has a memory region (a register, for example) inside the processor that cannot be read out to the external, and an encrypted attribute writing unit (an instruction TLB, for example) for writing encrypted attributes for the processing target data of the program into the internal memory. The encrypted attributes include the code encryption key of the program and an encryption target address range, for example). At least a part of these encrypted attributes is contained in the context information.
- The context information encryption/decryption unit also attaches a signature based on a secret information unique to the microprocessor to the context information. In this case, the verification unit judges whether the signature contained in the decrypted context information coincides with the original signature based on the secret information unique to the microprocessor or not, and restarts the interrupted program only when they coincide.
- In this way, the state of execution up to an interrupted point of the encrypted program is stored in the external memory as the context information, while the protected attributes of the execution processing target data are stored in the register inside the processor, so that the illegal alteration of the data can be prevented.
- In order to achieve the fourth improvement, the microprocessor that is formed as a single chip or a single package maintains a unique secret key therein that cannot be read out to the external. The bus interface unit that provides a reading function reads the code encryption key that is encrypted by using a unique public key of the microprocessor corresponding to the secret key in advance from a memory external of the microprocessor. A key decryption unit that provides a first decryption function decrypts the read out code encryption key by using the secret key of the microprocessor. The bus interface unit also reads out a plurality of programs encrypted by respectively different code encryption keys from an external memory. A code decryption unit that provides a second decryption function decrypts these plurality of read out programs. The instruction execution unit executes these plurality of decrypted programs.
- In the case of interrupting the execution of some program among the plurality of programs, a random number generation mechanism generates a random number as a temporary key. The context information encryption/decryption unit writes a first value obtained by encrypting information indicating the execution state of the program to be interrupted by using the random number, a second value obtained by encrypting this random number by using the code encryption key of the program to be interrupted, and a third value obtained by encrypting this random number by using the secret key of the microprocessor, into the external memory as the context information.
- In the case of restarting the execution of the program, the context information encryption/decryption unit reads out the context information from the external memory, decrypts the random number of the third value contained in the context information by using the secret key, and decrypts the execution state information contained in the context information by using the decrypted random number. At the same time, the random number of the second value contained in the context information is decrypted by using the code encryption key of the program scheduled to be restarted. The random number obtained by decrypting the second value by using the code encryption key and the random number obtained by decrypting the third value by using the secret key are compared with the temporary key, and the execution of the program is restarted only when they coincide.
- In this way, the context information indicating the state of execution up to an interrupted point is encrypted by using the random number that is generated at each occasion of the storing, and the signature using the secret key unique to the microprocessor is attached, so that the context information can be stored in the external memory safely.
- In order to achieve the first to third and sixth improvements, the microprocessor that is formed as a single chip or a single package reads out a plurality of programs encrypted by using the encryption keys that are different for different programs, and executes them. This microprocessor has an internal memory (a register, for example) that cannot be read out to the external, and stores the encrypted attributes for data to be referred from each program (that is the processing target data) and the encrypted attribute specifying information into the register. The context information encryption/decryption unit writes a related information that is related to the encrypted attribute specifying information stored in the register and containing a signature unique to the microprocessor, into the external memory. A protection table management unit reads the related information from the external memory according to an address of the data to be referred by the program. The verification unit verifies the signature contained in the read out related information by using the secret key, and permits the data referring by the program according to the encrypted attribute specifying information and the read out related information only when that signature coincides with the signature unique to the microprocessor.
- In this configuration, the information to be stored in the internal register is attached with the signature and stored into the external memory, and only the necessary portion is read out to the microprocessor. The signature is verified at a time of reading, so that the safety against the substitution can be secured. Even when the number of programs to be handled is increased and the number of the encrypted attributes is increased, there is no need to expand the memory region inside the microprocessor so that a cost can be reduced.
- Other features and advantages of the present invention will become apparent from the following description taken in conjunction with the accompanying drawings.
-
-
Fig. 1 is a block diagram showing a system incorporating a microprocessor according to the first example of the present invention. -
Fig. 2 is a diagram showing an entire memory space used in the microprocessor ofFig. 1 . -
Fig. 3 is a block diagram showing a basic configuration of a microprocessor according to the preferred embodiment of the present invention. -
Fig. 4 is a block diagram showing a detailed configuration of the microprocessor ofFig. 3 . -
Fig. 5 is a diagram showing a page directory and a page table format used in the microprocessor ofFig. 3 . -
Fig. 6 is a page table and a key entry format used in the microprocessor ofFig. 3 . -
Figs. 7A and 7B are diagrams respectively showing exemplary data before and after interleaving used in the microprocessor ofFig. 3 . -
Fig. 8 is a diagram showing a flow of information for a code decryption processing to be carried out in the microprocessor ofFig. 3 . -
Fig. 9 is a diagram showing a CPU register used in the microprocessor ofFig. 3 . -
Fig. 10 is a diagram showing a context saving format used in the microprocessor ofFig. 3 . -
Fig. 11 is a flow chart for a protection domain switching procedure to be carried out in the microprocessor ofFig. 3 . -
Fig. 12 is a diagram showing a flow of information for data encryption and decryption processing to be carried out in the microprocessor ofFig. 3 . -
Fig. 13 is a diagram conceptually showing a process of execution control within a protection domain by the microprocessor ofFig. 3 . -
Fig. 14 is a diagram conceptually showing a process of call up and branching from a protection domain to a non-protection domain by the microprocessor ofFig. 3 . -
Fig. 15 is a diagram showing a context saving format used in a conventional processor. - Referring now to
Fig. 1 andFig. 2 , the first example of a tamper resistant microprocessor according to the present invention will be described in detail. - This first example is directed to a microprocessor for protecting secrets of the program instructions (execution codes) and the context information (execution state) which are to be provided in encrypted forms by using the public key (asymmetric key) cryptosystem, from a user of a target system.
-
Fig. 1 shows the target system, where amicroprocessor 2101 of the target system is connected to amain memory 2103 through abus 2102. - As shown in
Fig. 1 , in this example, themicroprocessor 2101 has aregister file 2111, aninstruction execution unit 2112, aninstruction buffer 2113, a publickey descryption function 2114, a secretkey register 2115, a commonkey decryption function 2116, acommon key register 2117, a BIU (Bus Interface Unit) 2118, aregister buffer 2119, apublic key register 2120, anencryption function 2121, adecryption function 2122, and a previous commonkey register 2123, which will be described in further detail below. - First, the terms to be used in the following description will be described, and the operation of general operating system (OS) and application programs will be described briefly. A program is a set of data and a series of machine language instructions written for some specific purpose. The OS is a program for managing resources of the system, and the application is a program to be operated under the resource management of the OS. This example presupposes the multi-task system, so that a plurality of application programs will be operated in a quasi parallel manner under the management of the OS. Each one of these programs that are operated in the quasi parallel manner will be referred to as a process. There are cases where a set of processes for executing the processes for the same purpose will be referred to as a task.
- The instructions and data of the application program are usually stored in files on a secondary memory. They are arranged on a memory by a loader of the OS and executed as a process. The execution of the program is often interrupted by an exception (or interruption) processing of the processor caused by input/output or the like. A program for carrying out the exception processing will be referred to as an exception handler, The exception handler is usually set up by the OS. The OS can process an exception request from the hardware, interrupt the operation of the application and restart or start the operation of another application at arbitrary timing. The interruptions of the process include transitory cases where the execution of the original process is restarted without switching processes after the execution of the exception handler, and cases requiring the process switching. Examples of the former include a simple timer increment and examples of the latter include a virtual memory processing due to the page exception.
- The object of this example is to protect the program instructions (execution codes) and the execution state from a user of the target system who can freely read the main memory of the target system and freely alter the OS program or application programs.
- The basic features for achieving this object are the access control with respect to the information storage inside the processor and the encryption based on the information listed below.
- (1) A common key Kx selected by a program creator, The application program will be encrypted by the secret key cryptosystem using this key.
- (2) A pair of a unique public key Kp and a unique secret key Ks provided inside the processor. The public key can be read out by the program by using instructions.
- (3) An encryption key information in which the common key Kx of the program is encrypted by using the public key Kp of the processor.
- This processor is capable of executing a program with coexisting plaintext instructions and encrypted instructions which is placed on the main memory. Here the operation inside the CPU for the execution of a plaintext program will be described with references to
Fig. 1 and a memory arrangement shown inFig. 2 . -
Fig. 2 shows anentire memory space 2201, in which programs are placed inregions 2202 to 2204 on the main memory, whereregions region 2203 is an encrypted region. Aregion 2205 stores a key information to be used in decrypting theregion 2203. - The execution of the program is started as the control is shifted from the OS by an instruction for jump to a top X of the program or the like. The
instruction execution unit 2112 executes the instruction for jump to X, and outputs an address of the instruction to theBIU 2118, The content of the address X is read through thebus 2102, sent from theBIU 2118 to theinstruction buffer 2113, and sent to theinstruction execution unit 2112 where the instruction is executed. Its operation result is reflected in theregister file 2111. When the operation target is reading/writing with respect to an address on themain memory 2103, its address value is sent to theBIU 2118, that address is outputted from theBIU 2118 to thebus 2102, and data reading/writing with respect to the memory is carried out. - The
instruction buffer 2113 has a capacity for storing two or more instructions, and the instructions corresponding to a size of theinstruction buffer 2113 are collectively read out from themain memory 2103. - Next, the case of executing an encrypted instruction will be described. The processor of this example has two states including the execution of plaintext instructions and the execution of encrypted instructions, and two types of instructions for controlling these states are provided. One is an encryption execution start instruction for making a transition from the execution of plaintext instructions to the execution of encrypted instructions, and another is a plaintext return instruction for making a reverse transition.
- The encryption execution start instruction is denoted by the following mnemonic "execenc" and takes one operand:
- execenc keyaddr
- Here, the key information and the program encryption will be described. The
encrypted region 2203 comprises a sequence of encrypted instructions. The instructions are subdivided into blocks in units of a prefetch queue size and encrypted by the secret key algorithm such as DES (Data Encryption Standard) algorithm. A key to be used in this encryption will be denoted as Kx hereafter. Since the secret key algorithm is used, the same key Kx is also used for the decryption. - If this Kx is placed on the main memory in a plaintext form, a user who can operates the OS of the target system can easily read it and analyze the encrypted program. In order to prevent this, EKp[Kx] obtained by encrypting Kx by using the public key Kp of the processor will be placed in the
region 2205 of the memory. A top address of this region is indicated by "keyaddr". - It is cryptographically (computationally) impossible to decrypt Kx from EKp[Kx] unless one knows Ks corresponding to the public key Kp. Consequently, the secret of the program will never be leaked to the user as long as the user of the target system does not know Ks. This Ks is stored in a form that cannot be read out from the external, inside the processor. The processor can decrypt Kx internally without allowing the user to learn about it, and the processor can also decrypt the encrypted program by using Kx and execute it.
- In the following, the encryption execution start instruction and the subsequent the execution of the encrypted instruction will be described in detail. By the execution of the jump instruction in a
region 2207, the control is shifted to the encryption execution start instruction at the address "start". At the address indicated by the operand "keyaddr" of the encryption execution start instruction, the content of the specifiedregion 2205 is read out to theinstruction execution unit 2112 of the processor as data. Theinstruction execution unit 2112 sends this data EKp[Kx] to the publickey decryption function 2114. The publickey decryption function 2114 takes out Kx by decrypting EKp[Kx] by using a secret key Ks unique to the processor which is stored in the secretkey register 2115, and stores it in thecommon key register 2117. Then, the processor enters the encrypted instruction execution state. - Here, it is assumed that the processor package is manufactured such that the contents stored in the secret
key register 2115 and thecommon key register 2117 cannot be read out to the external by the program or the debugger of the processor chip. - By executing the encryption execution start instruction, the key to be used in decrypting the subsequent instructions is stored into the
common key register 2117, and the processor is entered into the encrypted instruction execution state. When the processor is in the encrypted instruction execution state, the instructions read from themain memory 2103 are sent from theBIU 2118 to a commonkey decryption function 2116, decrypted by using the key information stored in thecommon key register 2117 and stored into theinstruction buffer 2113. - In this example, the program encrypted by using the key Kx which is stored in the
region 2204 next to the encryption execution start instruction will be decrypted, stored in theinstruction buffer 2113, and executed. The reading is carried out in units of a size of theinstruction buffer 2113.Fig. 2 shows an exemplary case where the size of theinstruction buffer 2113 is 64 bits, and four instructions of 16 bits size each are collectively read out to theinstruction buffer 2113. - The processor in the encrypted instruction execution state returns to the plaintext instruction execution state by the execution of the plaintext return instruction.
- The plaintext return instruction is denoted by the following mnemonic:
- exitenc
- Note that when the encryption execution start instruction is executed again during the execution of the encrypted instruction, the instruction decryption key is changed such that the subsequent instructions are decrypted by using a different key and executed.
- Next, the safe saving of the execution state in order to protect the secret of the application program in the multi-task environment will be described.
- The
register file 2111 of this processor has 32 general purpose registers (R0 to R31). R31 is used as a program counter. The contents of the general purpose registers are stored in theregister file 2111. When the exception occurs during the execution of the encrypted program as described above, the contents of theregister file 2111 are moved to theregister buffer 2119, and the contents of theregister file 2111 are initialized by a prescribed value or a random number. Then, the value of the common key used for decryption of the encrypted program is stored in the previous commonkey register 2123. Only when these two types of initialization are completed, the control is shifted to the exception handler and the instructions of the exception handler are executed. The instructions of the exception handler are assumed to be non-encrypted. - By this register file initialization function, in the processor of this example, the reading of the register values processed by the encrypted program by the exception handler program is prevented even in the case where the control is shifted to the exception handler as an exception occurs during the execution of the encrypted program. At the same time, the contents of the
register file 2111 are saved in theregister buffer 2119, and there is a function for recovering the register buffer contents and for storing them into the memory as will be described below, so as to enable the restart of the encrypted program. - Now, the register contents stored in the
register buffer 2119 cannot be read out directly from the non-encrypted program of the exception handler. The non-encrypted program of the exception handler is only allowed to perform the following two operations with respect to theregister buffer 2119. - (1) Recover the register buffer contents and restart the execution of the original encrypted program.
- (2) Encrypting the register buffer contents and store them into the memory, and execute the OS program or another encrypted program.
- In the case of (1), when the exception handler processing such as the increment of the counter is finished, the exception handler issued a "cont" (continue) instruction. When the "cont" instruction is executed, the contents of the
register buffer 2119 and the previous commonkey register 2123 are recovered in theregister file 2111 and thecommon key register 2117, respectively. The program counter is contained in theregister file 2111, so that the execution of the encrypted program is restarted by setting the control back to a point where the execution of the encrypted program was interrupted. For the decryption of the encrypted program after the restart, the value recovered from the previous commonkey register 2123 will be used. Similarly as the contents of theregister buffer 2119, the program cannot rewrite the previous commonkey register 2123 explicitly. - The case of (2) corresponds to the case where the process switching occurs at a timing of the execution of the exception handler. In this case, the exception handler or a task dispatcher of the processor issues a "savereg" (save register) instruction for saving the contents of the
register buffer 2119 into the memory. This "savereg" instruction is denoted by the following mnemonic: - savereg dest
- When the "savereg" instruction is issued, the contents of the
register buffer 2119 and the previous commonkey register 2123 are encrypted by theencryption function 2121 by using the public key Kp of the processor stored in thepublic key register 2120, and saves at an address on themain memory 2103 specified by "dest" through theBIU 2118. Themain memory 2103 is outside the processor so that it has a possibility of being accessed by the user, but these contents are encrypted by the public key of the processor so that the user who does not know the secret key of the processor cannot learn the register buffer contents. - After the register buffer contents are saved, the OS activates another encrypted program by the method described above. If another encrypted program is activated without saving the register buffer contents, the register buffer contents would be rewritten to those of another encrypted program when the execution of another encrypted program is interrupted, and it would become impossible to restart the original encrypted program as the register buffer contents for the original encrypted program are lost.
- Here, the number of the register buffer is assumed to be one, but it is also possible to provide a plurality of register buffers so as to be able to deal with multiple exceptions.
- Next a procedure for recovering the saved execution state will be described.
- At a time of restarting the interrupted application, a dispatcher of the 0S issues a "rcvrreg" (recover register) instruction. This "rcvrreg" instruction is denoted by the following mnemonic:
- rcvrreg addr
- When the "rcvrreg" instruction is issued, the encrypted execution state information is taken out from the address of the memory specified by "addr" by the
BIU 2118 of the processor, decrypted by using the secret key Ks of the processor by thedecryption function 2122, and the register information is recovered in theregister file 2111 while the program decryption key is recovered in thecommon key register 2117. When the recovery is completed, the execution of the interrupted program is restarted from a point indicated by the program counter. At this point, the key Kx recovered from the execution state information will be used for decryption of the encrypted program. - The detail of the saving and the recovery of the execution state in relation to the interruption of the encrypted program due to exception has been described above. As already described above, the encrypted programs are safe against attacks from the user who can operate the OS of the target system.
- Next, the safety of the above described scheme against two types of attacks against the execution state will be described.
- There are two types of attacks against the execution state that is generated in a process of the application execution. One is the peeping of the saved execution state by an attacker, and the other is the rewriting of the execution state to a desired value by an attacker.
- Here, the following two terms for expressing the illegal accesses to the execution state will be defined. First, the program that has generated the execution state will be referred to as an original program for that execution state. The original program can be restarted by recovering the execution state in the registers. On the other hand, programs other than the program that has generated the execution state, that is programs encrypted by encryption keys different from that of the original program or plaintext programs, will be referred to as other programs.
- The illegal accesses or the attacks with respect to the execution state generated by some original program are defined as an act of directly analyzing the execution state on the memory by some method independently from the operation of the processor by a third party who does not know the encryption key of the original program, or an act of analyzing the execution state or rewriting the execution state to a desired value by a third party utilizing the other programs operated on the same processor.
- In the microprocessor of this example, the execution state is protected by the following three types of mechanisms so as to prevent the illegal accesses utilizing the access to the memory external of the processor or the other programs.
- First, in this example, the register information is saved in the
register buffer 2119 when the execution of the encrypted program is interrupted. Then, theregister buffer 2119 and the previous commonkey register 2123 cannot be accessed by any methods other than that using the "rcvrreg" instruction or the "savereg" instruction, so that the other programs cannot read their contents freely. - In the conventional processor, the register contents at a time of the exception occurrence can be freely read by the exception handler program. In the microprocessor of this example, the register contents are saved in the
register buffer 2119 so as to prohibit the reading from the other programs, and the instruction for saving the register buffer contents by encrypting them by using the public key of the processor is provided so as to prevent the peeping of the execution state saved on the memory by the user of the system. - The second attacking method includes a method for reading values of the registers contained in the execution state by placing the instruction of some other program known to the attacker at the same memory address as the original program such that this other program reads the encrypted execution state.
- In the microprocessor of this example, the encrypted execution state contains the program encryption key, and this key will be used in decrypting the encrypted program at a time of restart. Because of this mechanism, even when the other program other than the original program attempts to read the execution state, the key for does not match so that the program cannot be decrypted correctly and the program cannot be executed according to the intention of the attacker, Thus the second attacking method is impossible in the microprocessor of this example.
- This effect cannot be realized by simply encrypting the execution state itself by the public key of the processor, but can be realized by encrypting the decryption key of the original program and the execution state integrally.
- Note that, in order to maximize this effect, values of the registers (R0 to R31) and the common key Kx should preferably be stored in the identical cipher block at a time of the encryption using the public key.
- In the microprocessor of this example, the encryption of the data is not accounted, but it should be apparent to those skilled in the art that it is possible to add the data encryption function to the microprocessor of this example similarly as the data encryption in the microprocessor for supporting the virtual memory which will be described in the preferred embodiment.
- Referring now to
Fig. 3 to Fig. 14 , the preferred embodiment of a tamper resistant microprocessor according to the present invention will be described in detail. - In this embodiment, the microprocessor according to the present invention will be described for an exemplary case of using an architecture based on the widely used Pentium Pro microprocessor of the Intel corporation, but the present invention is not limited to this particular architecture. In the following description, features specific to the Pentium Pro microprocessor architecture will be noted and applications to the other architectures will be mentioned.
- Note that the Pentium Pro architecture distinguishes three types of addresses in the address space including physical addresses, linear addresses and logical addresses, but the linear addresses in the Pentium terminology will also be referred to as logical addresses in this embodiment.
- In the following description, the protection implies the protection of secrets of applications (that is the protection by encryption), unless otherwise stated. Consequently, the protection in this embodiment should be clearly distinguished from the ordinarily used concept of protection, that is the prevention of disturbances on the operations of the other applications due to the operation of some application. However, in the present invention, it is assumed that the operation protection mechanism in the ordinary sense is of course provided by the OS (although the description of this aspect will be omitted as it is unrelated to the present invention), in parallel to the protection of secrets of applications according to the present invention.
- Also, in the following description, a machine language instructions that are executable by the processor will be referred to as instructions, and a plurality of instructions will be collectively referred to as an execution code or an instruction stream. A key used in encrypting the instruction stream will be referred to as the execution code encryption key.
- Also, in the following description, the secret protection mechanism will be described as protecting secrets of applications under the management of the OS, but this mechanism can also be utilized as a mechanism for protecting the OS itself from alteration or analysis.
-
Fig. 3 shows a basic configuration of the microprocessor according to this embodiment, andFig. 4 shows a detailed configuration of the microprocessor shown inFig. 3 . - The
microprocessor 101 has aprocessor core 111, an instruction TLB (Table Lookup Buffer) 121, anexception processing unit 131, a data TLB (Table Lookup Buffer) 141, asecondary cache 152. Theprocessor core 111 includes abus interface unit 112, a code and data encryption/decryption processing unit 113, aprimary cache 114, and aninstruction execution unit 115. - The
instruction execution unit 115 further includes an instruction fetch/decode unit 214, an instruction table 215, an instructionexecution switching unit 216, and an instructionexecution completing unit 217. - The
exception processing unit 131 further includes aregister file 253, a context information encryption/decryption unit 254, anexception processing unit 255, a secret protectionviolation detection unit 256, and an execution code encryption key andsignature verification unit 257. - The
instruction TLB 121 further includes apage table buffer 230, an execution code decryptionkey table buffer 231, and akey decryption unit 232. Thedata TLB 141 further includes a protectiontable management unit 233. - The
microprocessor 101 has akey storage region 241 for storing a public key Kp and a secret key Ks which are unique to this microprocessor. Now, consider the case of purchasing a desired execution program A from some program vendor and executing it. The program vendor encrypts the program A by using a common execution code encryption key Kcode (EKcode[A]) before supplying the execution program A, and sends the common key Kcode used for encryption in a form encrypted by using the public key Kp of the microprocessor 101 (EKp[Kcode]) to themicroprocessor 101. Themicroprocessor 101 is a multi-task processor which processes not only this execution program A but also a plurality of different encrypted programs in a quasi parallel manner (that is by allowing interruptions). Also, themicroprocessor 101 obviously executes not only the encrypted programs but also plaintext programs. - The
microprocessor 101 reads out a plurality of programs encrypted by using different execution code encryption keys from amain memory 281 external of themicroprocessor 101 through the bus interface unit (reading function) 112. The executioncode decryption unit 212 decrypts these plurality of read out programs by using respectively corresponding decryption keys, and theinstruction execution unit 115 executes these plurality of decrypted programs. - In the case of interrupting the execution of some program, the context information encryption/
decryption unit 254 of theexception processing unit 131 encrypts information indicating the execution state up to an interrupted point of the program to be interrupted and the code encryption key of this program by using the public key of themicroprocessor 101, and writes the encrypted information into themain memory 281 as the context information. - In the case of restarting the interrupted program, the execution code encryption key and
signature verification unit 257 decrypts the encrypted context information by using the secret key of themicroprocessor 101, verifies whether the execution code encryption key contained in the decrypted context information (that is the execution code encryptionb key of the program scheduled to be restarted) coincides with the original execution code encryption key of the interrupted program, and restarts the execution of the program only when they coincide. - Here, before describing the detailed configuration and functions of the
microprocessor 101, the processing procedure for the execution of plaintext instructions and the execution of encrypted programs by themicroprocessor 101 will be outlined. - When the
microprocessor 101 executes a plaintext instruction, the instruction fetch/decode unit 214 attempts to read the content of an address indicated by a program counter (not shown) from anL1 instruction cache 213. If the content of the specified address is cached, the instruction is read out from theL1 instruction cache 213, sent to the instruction table 215, and executed. The instruction table 215 is capable of executing a plurality of instructions in parallel, and requests reading of data necessary for carrying out the execution to the instructionexecution switching unit 216 and receives the data. When the instructions are executed in parallel and their execution results are determined, the execution results are sent to the instructionexecution completing unit 217. The instructionexecution completing unit 217 writes the execution result into theregister file 253 when the operation target is a register inside themicroprocessor 101, or into anL1 data cache 218 when the operation target is a memory. - The content of the
L1 data cache 218 is cached once again by anL2 cache 152 under the control of thebus interface unit 112, and written into themain memory 281. Here, the virtual memory mechanism is used, where a correspondence between the logical memory address and the physical memory address is defined by a page table shown inFig. 5 . - The page table is a data structure placed on the physical memory. The
data TLB 141 actually carries out a conversion from the logical address to the physical address, and at the same time manages the data cache. Thedata TLB 141 reads a necessary portion of the table according to a top address of the table indicated by a register inside themicroprocessor 101, and carries out the operation for converting the logical address into the physical address. At this point, only the necessary portion of the page table is read out to apage table buffer 234 according to the logical address to be accessed, rather than reading out the entire page table on the memory to thedata TLB 141. - The basic cache operation is stable regardless of whether the instructions of the program are encrypted or not. Namely, a part of the page table is read out to the
instruction TLB 121, and the address conversion is carried out according to the definition contained therein. Thebus interface unit 112 reads instructions from themain memory 281 or theL2 cache 152, and instructions are stored in theL1 instruction cache 213. The reading of instructions out to theL1 instruction cache 213 is carried out in units of a line formed by a plurality of words, which enables a faster access than the reading in word units. - The address conversion utilizing the same page table on the physical memory is also carried out for the processing target data of the executed instructions, and the execution of the conversion is carried out at the
data TLB 141 as described above. - The operation up to this point is basically the same as the general cache memory operation.
- Next, the operation in the case of executing an encrypted program will be described. In this embodiment, it is assumed that the execution codes for which secrets are to be protected are all encrypted, and the encrypted execution codes will also be referred to as protected codes. In addition, a range of the protection by the same encryption key will be referred to as a protection domain. Namely, a set of codes protected by the same encryption key is belonging to the same domain, and codes protected by different encryption keys are belonging to different protection domains.
- First, the execution codes of a program encrypted by the secret key scheme block cipher algorithm are stored on the
main memory 281. A method for loading the encrypted program transmitted from a program vendor will be mentioned below. - A cipher block size of the execution codes can be any value as long as two to the power of the block size coincides with a line size that is a unit for reading/writing with respect to the cache memory. However, if the block size is so small that a block length coincides with an instruction length, there arises a possibility for analyzing the instruction easily by recording a correspondence between encrypted data and a predictable portion of the instruction such as a top portion of a sub-routine. For this reason, in this embodiment, the blocks are interleaved such that there is a mutual dependency among data in the blocks and the encrypted block contains information on a plurality of instruction words or operands. In this way, it is made difficult to set a correspondence between the instruction and the encrypted block.
-
Figs. 7A and 7B show an example of the interleaving that can be used in this embodiment. In this example, it is assumed that the line size of the cache is 32 bytes and the block size is 64 bits (i.e., 8 bytes). As shown inFig. 7A , before the interleaving, one word is formed by 4 bytes, so that a word A is formed by 4 bytes of A0 to A3. One line is formed by 8 words of A to H. When this is interleaved in units of 8 bytes corresponding to the block size of 64 bits, as shown inFig. 7B , A0, B0, ·····, H0 are arranged in the first block corresponding toword 0 andword 1, A1, B1, ····· , H1 are arranged in the next block, and so on. - An attack can be made more difficult by setting a length of a region to be interleaved longer, but the interleaving of a region with a length longer than the line size makes the processing more complicated and lowers the processing speed because the decryption/encryption of one cache line would depend on reading/writing of another line. Thus it is preferable to set a range for interleaving within a range of the cache line size.
- Here the method for interleaving data of blocks is used such that there is a mutual dependency among data in a plurality of blocks contained in the cache line, but it is also possible to use the other method for generating a dependency among data blocks, such as the CBC (Cipher Block Chaining) mode of the block cipher.
- The decryption key Kcode (which will also be referred to as the encryption key hereafter even in the case of decryption because the encryption key and the decryption key are identical in the secret key algorithm) of the encrypted execution codes is determined according to the page table.
Fig. 5 andFig. 6 show a table structure of the conversion from the logical address to the physical address. - A
logical address 301 of the program counter indicates some value, and adirectory 302 and a table 303 constituting its upper bits specify a page entry 307-j. The page entry 307-j contains a key entry ID 307-j-k, and a key entry 309-m to be used for decryption of this page is determined in a key table 309 according to this ID. The physical address of the key table 309 is specified by a key table control register 308 inside the microprocessor. - In this configuration, the ID of the key entry is set in the page entry rather than setting the key information directly, such that the key information in a large size is shared among a plurality of pages so as to save a limited size of a memory region on the
instruction TLB 121. - In further detail, the page table and key table information is stored into the
instruction TLB 121 as follows. Only portions necessary for the access to the memory is read out from the page tables 306, 307 and 311 to thepage table buffer 230, and from the key table 309 to the execution code decryptionkey table buffer 231. - In a state of being stored on the main memory, a reference counter of the key object 309-m which is an element of the key table 309 indicates the number of page tables that refer to this key object. In a state where the key object is read out to the execution code decryption
key table buffer 231, this reference counter indicates the number of page tables that refer to this key object and that are read out to thepage table buffer 230. This reference counter will be used for judgement at a time of deleting any unnecessary key object from the execution code decryptionkey table buffer 231. - One of the features of this embodiment is that the key table entry has a fixed length but a key length used in each table is made variable in order to be able to deal with a higher cryptoanalytic power, and specified at a key size region of the key table. It implies that the secret key Ks unique to the
microprocessor 101 is fixed but the length of Kcode to be used for encryption and decryption of the program can be changed by the specification of the key entry. In order to specify a position of the variable length key, the key entry 309-m has a field 309-m-4 pointing to the key entry, which indicates an address of thekey object 310. - In the
key object region 310, the execution code encryption key Kcode is stored in a form EKp[Kcode] encrypted by the public key algorithm using the public key Kp of themicroprocessor 101. In order to encrypt data safely in the public key algorithm, a large redundancy is necessary, so that a length of the encrypted data becomes longer than a length of the original data. Here, lengths of Ks and Kp are set to be 1024 bits, a length of Kcode is set to be 64 bits, which is extended to 256 bits by padding, and E[Kcode] is encrypted in a length of 1024 bits and stored in thekey object region 310. When Kcode is so long that it cannot be stored in 1024 bits, it is divided into a plurality of blocks of 1024 bits size each and stored. -
Fig. 8 summarizes the information flow in the code decryption. Aprogram counter 501 indicates an address "Addr" on anencrypted code region 502 on alogical address space 502. The logical address "Addr" is converted into the physical address "Addr'" according to the page table 307 that is read out to theinstruction TLB 121. At the same time, the encrypted code decryption key E[Kcode] is taken out from the key table 309, decrypted by using the secret key Ks provided in the CPU at adecryption function 506, and stored into a current code decryptionkey memory unit 507. The common key Kcode for the code encryption is encrypted by using the public key Kp of themicroprocessor 101 by the program vendor, and supplied along with the program encrypted by using Kcode, so that the user who does not know the secret key Ks of themicroprocessor 101 cannot know Kcode. - After the program execution codes are encrypted by using Kcode and shipped, the program vendor keeps and manages Kcode safely such that its secret will not be leaked to a third party.
- An entire key table 511 and an entire page table 512 are placed in a
physical memory 510, and their addresses are specified by akey table register 508 and aCR3 register 509 respectively. From the contents of these entire tables, only necessary portions are cached into theinstruction TLB 121 through thebus interface unit 112. - Now, when a
content 503 corresponding to the physical address "Addr' " as converted by theinstruction TLB 121 is read out by thebus interface unit 112, this page is encrypted so that it is decrypted at acode decryption function 212. The reading is carried out in units of the cache line size, and after the decryption in block units, the inverse processing of the interleaving described above is carried out. The decrypted result is stored in theL1 instruction cache 213, and executed as an instruction. - Here, the method for loading the encrypted program and the relocation of the encrypted program will be described. For the loading of a program into the memory, there is a method in which a program loader changes an address value contained in the execution codes of the program in order to deal with a change of an address for loading the program, but this method is not applicable to the encrypted program. However, the relocation of the encrypted program is possible by using a method of realizing the relocation without directly rewriting the execution codes by utilizing a table called jump table or IAT (Import Address Table).
- Further details of the loading procedure and the relocation for general programs can be found, for example, in L.W. Allen et al., "Program Loading in OSF/1, USENIX winter, 1991, and the loading method and the relocation for the encrypted program can be found in Japanese Patent Application No.
2000-35898 - It is possible to protect the execution codes placed on the memory external of the processor by the above described method for decrypting the encrypted execution codes of the program, reading them out to the cache memory inside the processor, and executing them.
- However, the execution codes that are decrypted into plaintext can exist inside the processor. Even if it is impossible to read them out directly from outside the processor, there is a possibility for the plaintext program to be read out and analyzed by the other programs that are operated in the same processor.
- In this embodiment, the key decryption processing by using the
secret key 241 and thekey decryption unit 232 of theinstruction TLB 121 is not carried out at a time of data reading into anL1 data cache 218. When the data reading is carried out with respect to an encrypted page for which an encryption flag 307-j-E is set to "1" in the page table, either non-decrypted original data or data of a prescribed value "0" will be read out, or else an exception occurs such that the normally decrypted data cannot be read out. Note that when the encryption flag 307-j-E in the page table is rewritten, the decrypted content of the corresponding instruction cache will be invalidated. - By this mechanism, it becomes impossible for the other programs (including the own program) to read the execution codes of the encrypted program as data, and decrypt them by utilizing functions of the processor.
- Also, the other programs cannot explicitly read data in the instruction cache, so that the safety of the execution codes can be guaranteed. The safety of the data will be described below.
- Because the encrypted execution codes can be executed in this way, in the microprocessor of this embodiment, by selecting the encryption algorithm and parameters appropriately, it can be made cryptographically impossible for a party who does not know the true value of the execution code encryption key Kcode to analyze the operation of the program by de-assembling the execution codes.
- Thus the user cannot know the true value of the execution code encryption key Kcode, and it can be made cryptographically impossible for the user to make an alteration according to the user's intention such as illegal copying of the contents handled by the application by altering a part of the encrypted program.
- Next, another feature of the microprocessor of this embodiment regarding the encryption, signature and its verification for the context at a time of interrupting the program execution under the multi-task environment will be described.
- The execution of the program under the multi-task environment is often interrupted by the exception. Normally, when the execution is interrupted, a state in the processor is saved on the memory, and then the original state is recovered at a time of restarting the execution of that program later on. In this way, it becomes possible to execute a plurality of programs in a quasi parallel manner and accept the interruption processing. This information on the state at a time of the interruption is called the context information, the context information contains information on registers used by the application, and in some cases, information on registers that are not explicitly used by the application is also contained in addition.
- In the conventional processor, when the interruption occurs during the execution of some program, the control is shifted to the execution codes of the OS while the register state of the application is maintained, so that the OS can check the register state of that program to guess what instructions were executed, or alter the context information maintained in a plaintext form during the interruption so as to change the operation of the program after the restart of the execution of that program.
- In view of this fact, in this embodiment, when the interruption occurs during the execution of the protected codes, the context of the execution immediately before that is encrypted and saved while all the application registers are either encrypted or initialized, and a signature made by the processor is attached to the context information. The signature is verified at a time of recovery from the interruption, to check whether the signature is proper or not. When the improper signature is detected, the recovery is stopped so that the illegal alteration of the context information by the user can be prevented. At this point, the encryption target registers are
user registers 701 to 720 shown inFig. 9 . - In the Pentium Pro architecture, there is a hardware mechanism for assisting the saving of the context information of the process into the memory and its recovery. A region for saving the state is called TSS (Task State Segment). In the following, an exemplary case of applying the present invention to this mechanism will be described, but the present invention is not limited to the Pentium Pro architecture, and equally applicable to any processor architectures in general.
- The saving of the context information in conjunction with the exception occurrence takes place in the following case. When the exception occurs, an entry corresponding to the interruption cause is read out from a table called IDT (Interrupt Descriptive Table) for describing the exception processing, and the processing described there is executed, When the entry indicates a TSS, the context information saved in the indicated TSS is recovered to the processor. On the other hand, the context information of the process that has been executed up until then is saved in the TSS region specified by a
task register 725 at that point. - Using this automatic context saving mechanism, it is possible to save the entire state of the application including the program counter and the stack pointer, and detect any alteration at a time of the recovery by verifying the signature. However, when this automatic context saving is used, apart from the fact that a large overhead will be caused by the context switching, there arises a problem that it is impossible to carry out the interruption processing without using the TSS.
- In order to reduce the overhead due to the interruption processing, or to maintain the compatibility with the existing programs, it is preferable not to use the automatic context saving mechanism, but in such a case, the program counter will be saved on the stack and cannot be a target of the verification, so that it can be a target of the alteration by the malicious 0S. These two cases should preferably used in their proper ways according to the purpose. For this reason, the microprocessor of this embodiment adopts the automatic context saving with respect to the protected (encrypted) execution codes as a result of attaching more importance to the safety. The registers to be automatically saved may not necessarily be all registers.
- The context saving and recovery processing in this embodiment has the following three major features.
- (1) The contents of the saved context can be decrypted only by the microprocessor that generated the context and a person who knows the encryption key Kcode of the program that generated the context.
- (2) In the case where the program protected by some execution code encryption key X is interrupted and its context is saved, its restart processing cannot be applied to the restart of a non-protected program or a program encrypted by another execution code encryption key Y. Namely, the program to be recovered from the interruption cannot be replaced by another program at a time of the restart.
- (3) The recovery of the altered context is prohibited. Namely, if the saved context is altered, that context will not be recovered.
- By the above feature (1), it is possible to maintain the safety of the context information while enabling the analysis of the context information by the program vendor. The fact that the program vendor has a right to analyze the context information is important in order to maintain the quality of the program by analyzing causes of any trouble that occurred according to a condition by which the program is used by the user.
- The above feature (2) is effective in preventing a situation where an attacker applies the context generated by the execution of a program A to another encrypted program B and restarts the program B from a known state saved in the context in order to analyze secrets of the data or the codes contained in the program B or alter the operation of the program B. This function is also a prerequisite for the data protection to be described below in which each one of a plurality of applications maintains own encrypted data exclusively and independently from the others.
- By the above feature (3), it is possible to strictly eliminate the alteration of the context information utilizing an occasion of the restart of the program.
- The reason for providing such a function is that simply encrypting the context information according to the secret information of the processor can protect the context information from the alteration according to the intention of the attacker, but it is impossible to eliminate a possibility for the random alteration of the context that results in the restart of the program from a state with random errors.
- In the following, the context saving and verification method incorporating the above three features will be described in further detail.
-
Fig. 10 shows the context saving format in this embodiment conceptually. It is assumed that the interruption due to the hardware or software related cause has occurred during the execution of the protected program. If the IDT entry corresponding to the interruption indicates a TSS, the execution state of the program up to that point is encrypted, and saved as the context information in a TSS indicated by the current task register 725 (rather than the indicated TSS itself). Then, the execution state saved in the TSS indicated by the IDT entry is recovered to the processor. If the IDT entry does not indicate a TSS, only the encryption or the initialization of the current registers is carried out, and the saving into the TSS does not takes place. Of course the restart of that program becomes impossible in that case. Note however that the system registers including a part of the flag registers and the task register are excluded from a target of the encryption or the initialization of the registers for the sake of continuation of the OS operation. - The contents of the context shown in
Fig. 10 are actually interleaved, encrypted in block units and stored in the memory. Here the information items to be saved will be described first. At a top, stack pointers anduser registers 802 to 825 corresponding to respective privileged modes are provided, and one word 826 indicating a TSS size and the presence/absence of the encryption is placed next. This indicates whether the TSS in which the processor is saved is encrypted or not. Even in the case where the TSS is encrypted, this region will be maintained in a plaintext form without being encrypted. - After that, data encryption control register (CYO to CY3)
regions 827 to 830 that are added for the purpose of the data protection are placed, and apadding 831 for adjusting the size to the block length is placed. Finally, a value EKcode[Kr] 832 in which a key Kr used in encrypting the context is encrypted by the secret key algorithm using the execution code encryption key Kcode, a value EKp[Kr] 833 in which the key Kr used in encrypting the context is encrypted by using the public key Kp of the processor, and a signature SKs[message] 834 using the secret key Ks of the processor with respect to them all are placed. Also, aregion 801 for a link to the previous task that maintains a call up relationship among tasks is saved in a plaintext form in order to enable the task scheduling by the OS. - These execution code encryption and signature generation are carried out by the context information encryption/
decryption unit 254 in theexception processing unit 131 shown inFig. 4 , which is based on a function independent from the encryption of the processing target data of the execution codes. At a time of saving the context information in the TSS, even if some encryption is specified in an address of the TSS by the other data encryption function, this specification is ignored and the context information is saved in a state in which the context is encrypted. This is because the encryption attributes of the data encryption function are specific to each protected (encrypted) program so that the restart of some program cannot depend on that function. - In encrypting the context, a word in the TSS size region 826 to be recorded in a plaintext form is replaced to a value "0". Then, the interleaving similar to that explained with references to
Figs. 7A and 7B is applied, and the context is encrypted. At this point, thepadding 831 is set to a size that enables the appropriate interleaving in accordance with the encryption block size. - Here, the reason for not encrypting the register values directly by the public key Kp of the processor or the execution code encryption key Kcode is to enable the analysis of the encrypted context by both the program vendor and the processor while prohibiting the decryption of the context by the user.
- The program vendor knows the execution code encryption key Kcode so that the program vendor can obtain the encryption key Kr of the context by decrypting EKcode[Kr] 832 by using Kcode. Also, the
microprocessor 101 can obtain the encryption key Kr of the context by decrypting EKp[Kr] 833 by using the own secret key Ks. Namely, the program vendor can analyze the trouble by decrypting the context information without knowing the secret key of the microprocessor of the user, and themicroprocessor 101 itself can restart the execution by decrypting the context information by using the own secret key Ks. The user who does not have either key cannot decrypt the saved context information. Also, the user who does not know the secret key Ks of themicroprocessor 101 cannot forge the context information and the signature SKs[message] with respect to EKcode[Kr] and EKp[Kr]. - In order to enable the mutually independent decryption of the context information by the program vendor and the microprocessor, it is also possible to consider a method for encrypting the context information directly by using Kcode. However, in the case where the register state is already known, there is a possibility for the known-plaintext attack against the execution code encryption key Kcode. Namely, when a value of the key for encrypting data is fixed, the following problem arises. Consider the case of executing a program which reads a data input by the user and writes it into a working memory temporarily by encrypting it. The data that are to be encrypted and written into the working memory can be ascertained by monitoring the memory, so that the user can repeat the input many times by changing the input value and obtain the corresponding encrypted data. This implies that the chosen-plaintext attack of the cryptoanalysis theory is possible.
- The known-plaintext attack is not fatal to the secret key algorithm, but it is still preferable to avoid that. For this reason, a random number Kr is generated at a random
number generation mechanism 252 of theexception processing unit 131 at each occasion of the context saving, and supplied to the context information encryption/decryption unit 254. The context information encryption/decryption unit 254 encrypts the context by the secret key algorithm using the random number Kr. Then, the value EKcode[Kr] 832 in which the random number Kr is encrypted by the same secret key algorithm using the execution code encryption key Kcode is attached. The value EKp[Kr] 833 is obtained by encrypting the random number Kr by the public key algorithm using the public key Kp of the microprocessor. - Here, the random number is generated by the random
number generation mechanism 252. In the case where the program is encrypted, normally there is no change in the program codes so that the corresponding plaintext codes cannot be acquired illegally as long as the operation is not analyzed. In this case, there is a need to carry out the "ciphertext-only attack" in order to cryptoanalyze, so that it is very difficult to find the encryption key. However, in the case where the data entered by the user are to be stored into the memory by encrypting them, the user can freely select the input data. For this reason, it is possible for the user to make the "chosen-plaintext attack" against the encryption key which is far more effective than the "ciphertext-only attack". - Against the chosen-plaintext attack, it is possible to adopt a measure for enlarging the search space by adding a random number called "salt" into the plaintext to be protected. However, it is very tedious to implement the saving into the memory in a form where the "salt" random number is incorporated in every data at the application programming level, so that this can cause the lowering of the programming efficiency and performance.
- For this reason, the random
number generation mechanism 252 generates the random number (encryption key) for encrypting the context at each occasion of the context saving. As the encryption key can be selected arbitrarily, there is also an effect that the safe communications between processes or between processes and devices can be realized faster. This is because the speed for encrypting data by the hardware at a time of the memory access is far slower in general than the speed for encrypting data by the software. - On the contrary, if the value of the encryption key for the data region is limited to a prescribed value such as that identical to the execution code encryption key for example, then it becomes impossible to use the data encryption function of the processor for the other programs encrypted by the other encryption keys or the sharing of the encrypted data with the devices, so that it becomes impossible to take advantage of the fast hardware encryption function provided in the processor.
- Note that the decryption of the encrypted random number EKcode[Kr] 832 that takes place at a time of the restart and the generation of the
signature 834 can be based on any algorithm and secret information as long as a condition that they can be carried out only by themicroprocessor 101 is satisfied. In the above example, the secret key Ks unique to the microprocessor 101 (which is also used for the decryption of the execution code encryption key Kcode) is used for both, but respectively different values may be used for these purposes. - Also, the saved context contains a flag indicating the presence/absence of the encryption, so that the encrypted context information and the non-encrypted context information can coexist according to the need. The TSS size and the flag indicating the presence/absence of the encryption are stored in a plaintext form so that it is easy to maintain the compatibility with respect to the past programs.
- At a time of restarting the process by recovering the context, the OS issues a jump or call instruction with respect to a TSS descriptor indicating the saved TSS.
- Returning now to
Fig. 4 , the execution code encryption key andsignature verification unit 257 if theexception processing unit 131 verifies the signature SKs[message] 834 by using the secret key Ks of the processor first, and sends the verification result to theexception processing unit 255. In the case where the verification result is failure, theexception processing unit 255 stops the restart of the execution of the program, and causes the exception. By this verification, it is possible to confirm that the context information is surely generated by theproper microprocessor 101 that has the secret key and not altered. - When the verification of the signature succeeds, the context information encryption/
decryption unit 254 obtains the random number Kr by decrypting the context encryption key EKp[Kr] 833 by using the secret key Ks. On the other hand, the execution code encryption key Kcode corresponding to the program counter (EIP) 809 is taken out from thepage table buffer 230, and sent to the current code encryptionkey memory unit 251. The context information encryption/decryption unit 254 decrypts EKcode[Kr] by using the execution code decryption key Kcode, and sends the result to the execution code encryption key andsignature verification unit 257. The execution code encryption key andsignature verification unit 257 verifies whether the decryption result of EKcode[Kr] 832 coincides with the decryption result of the microprocessor using the secret key Ks or not. By this verification, it is possible to confirm that this context information is generated by the execution of the execution codes encrypted by using the secret key Kcode. - If this verification of the execution code encryption key with respect to the context information is not carried out, it would become possible for the user to make an attack by producing codes encrypted by using any suitable secret key Ka and applies the context information obtained by executing these codes to the codes encrypted by the other secret key Kb. The above verification eliminates a possibility of this attack and guarantees the safety of the context information for the protected codes.
- This object can also be achieved by adding a secret execution code encryption key Kcode to the context information, but in this embodiment, by the use of the value EKcode[Kr] in which a secret random number Kr used in encrypting the context information is encrypted by using the execution code encryption key Kcode selected by the program vendor, it is possible to reduce the amount of memory required for saving the context information so as to achieve the effects of the fast context switching and the memory saving. This also enables the feedback of the context information to the program creator.
- Now, when the verification of the execution code encryption key and the verification of the signature by the execution code encryption key and
signature verification unit 257 both succeed, the context is recovered to theregister file 253, and the program counter value is also recovered so that the control is returned to an address at a time of the execution interruption that caused to generate this context. - When either one of these verifications fails so that the
exception processing unit 255 causes the exception to occur, an exception occurrence address indicates an address at which the jump or call instruction is issued. Also, a value indicating illegality of the TSS is stored into an interruption cause field in the IDT table, and an address of a jump target TSS is stored into a register that stores an address that is the cause of the interruption. In this way, the OS can learn the cause of the context switching failure. - Note that, in order to realize the faster restart processing, it is also possible to use a configuration in which the supply of the execution state encrypted by the context information encryption/
decryption unit 254 to theregister file 253 and the verification processing by the execution code encryption key andsignature verification unit 257 are carried out in parallel, and the subsequent processing is stopped when the verification fails. - The safety of this encryption scheme using a random number depends on the impossibility to predict a random number sequence used, and a method for generating by hardware a random number that is very hard to predict is disclosed in Onodera, et al., Japanese Patent No.
2980576 - The analysis of the context information by the program vendor is important in improving the quality of the program by analyzing the causes of any trouble in the program that occurred according to a condition by which the program is used by the user. In this embodiment, in view of this fact, the above described scheme for realizing both the safety of the context and the capability of the context information analysis by the program vendor is employed, but it is also true that the use of this scheme increases the overhead of the context saving.
- Moreover, the verification of the context information by using the signature made by the microprocessor prevents the execution of the protected codes in the illegal context information by using a combination of arbitrarily selected value and encryption key, but this additional protection also increases the overhead.
- Consequently, in the case where there is no need for the capability of the context information analysis by the program vendor or a mechanism for eliminating the program restart using the illegal context information, the context information containing information for identifying the execution code encryption key may be directly encrypted by using the secret key of the processor. Even in such a case, it is still possible to make the intentional alteration of the context cryptographically impossible, and prevent the context information from being applied to a program encrypted by using a different encryption key.
- Here, the context saving format will be described further. Its relationship with the operation will be described later.
- In
Fig. 10 , an "R" bit 825-1 is a bit indicating whether the context is restartable or not. When this bit is set to "1", the execution can be restarted by recovering the state saved in the context by the above described recovery procedure, whereas when this bit is set to "0", the restart cannot be made. This has an effect of preventing the restart of the context in which the illegality is detected during the execution of the encrypted program so as to limit the restartable contexts to only those in the proper states. - A "U" bit 825-2 is a flag indicating whether the TSS is a user TSS or a system TSS. When this bit is set to "0", the saved TSS is the system TSS, and when this bit is set to "1", the saved TSS is the user TSS. The TSS that will be saved and recovered through the task switching accompanied by the change of the privilege from the exception entry as described above or through a task gate call up is the system TSS.
- The difference between the system TSS and the user TSS lies in whether a task register indicating a TSS saving location of the currently executed program is to be updated or not at a time of the recovery of the TSS. In the recovery of the system TSS, the task register of the currently executed program will be saved in the link to the
previous task region 801 of the TSS to be newly recovered, and the segment selector of the new TSS will be read into the task register. On the other hand, in the recovery of the user TSS, the update of the task register value will not be carried out. The user TSS is aimed only at the saving and the recovery of the register state of the program so that it is not accompanied by the change of the privileged mode. - The exception includes a software interrupt used for the system call up from the application program. In the case of the software interrupt for the purpose of the system call up, the general purpose register is often used for the parameter exchange, and there can be cases where the context information encryption can obstruct the parameter exchange.
- The software interrupt is generated by the application itself, so that it is possible for the application to destroy information of the registers that have secrets, prior to the generation of the software interrupt. Under the presumption of such conditions, it is possible to use a scheme in which the encryption of the registers is not carried out only in the case of the software interrupt. Of course, in such a case, the application program creator should take this fact into consideration and design the program such that the secrets of the program can be protected.
- Next, the suppression of the plaintext program debugging function will be described.
- The processor has a step execution function which causes the interruption whenever one instruction is executed, and a debugging function which causes the exception whenever a memory access with respect to a specific address is made. These functions may be useful for the development of programs but they can impair the safety of programs that are encrypted for the purpose of the secret protection. Consequently, in the microprocessor of this embodiment, such debugging functions are suppressed during the execution of the encrypted program.
- The
instruction TLB 121 can judge whether the currently executed code is protected or not (encrypted or not). During the execution of the protected code, two debugging functions including a debug register function and a step execution function are prohibited in order to prevent an intrusion of the encrypted program analysis from a debug flag or a debug register. - The debug register function is a function in which a memory access range and an access type such as reading/writing as the execution code or data are set in advance into a debug register provided in the processor such that the interruption is caused whenever a corresponding memory access occurs. In this embodiment, during the execution of the protected code, the contents set in the debug register will be ignored so that the interruption for the purpose of the debugging will not occur. Note however that the case where a debug bit is set in the page table is excluded from this rule. The debug bit in the page table will be described later.
- During the execution of a non-protected (plaintext) code, the interruption will be caused whenever one instruction is executed if a step execution bit in an EFLAGS register of the processor is set, but during the execution of the protected code, this bit will also be ignored so that the interruption will not occur.
- In this embodiment, in addition to the encryption of the execution codes for the purpose of preventing the analysis, these functions make the analysis of the program by the user difficult by preventing the dynamic analysis of the program using the debug register or the debug flag.
- Next, the protection of the processing target data of the execution codes will be described.
- In this embodiment, the encryption attributes for protecting data are defined in four registers CY0 to CY3 that are provided inside the
microprocessor 101. They correspond toregions 717 to 720 shown inFig. 9 . InFig. 9 , details of the registers CY0 to CY2 are omitted, and only details of the register CY3 are shown. - Elements of the encryption attribute will now be described by taking the
CY3 register 717 as an example. Upper bits of the logical address indicating a top of the region to be encrypted are specified in a base address 717-1. The size of the region is specified in a size region 717-4. A size is specified in units of the cache line so that there is an invalid portion at the lower bits. A data encryption key is specified in a region 717-5. Here the secret key algorithm is used so that the region 717-5 is also used for the decryption key, When a value of the encryption key is specified as "0", it implies that the region indicated by that register is not encrypted. - Among the specifications of the regions, CY0 is given the highest priority, and CY1 to CY3 are given sequentially lower priorities in this order. For example, When the regions specified by CY0 and CY1 overlap, the attributes of CY0 are given the priority over those of CY1 in that region. Also, the definition of the page table is given the highest priority in the case of a memory access as the execution code rather than as the processing target data.
- A debug bit 717-4 is used in selecting whether the data operation in the debugging state is to be carried out in an encrypted state or in a plaintext state. Details of the debug bit will be described later.
-
Fig. 12 shows the information flow in the encryption/decryption of the processing target data of the execution codes. Here, the data protection is made only in the state where the code is protected, that is the code is executed in an encrypted state. Note however that the case where the code is executed in the debugging state to be described below will be excluded from this rule. When the code is protected, the contents of the data encryption control registers (which will be also referred to as the encryption attribute registers or the data protection attribute registers) CY0 to CY3 are read from theregister file 253 shown inFig. 4 to a data encryption key table 236 provided inside thedata TLB 141. - When some instruction writes data into a logical address "Addr", the
data TLB 141 judges whether the logical address "Addr" is contained in ranges of CY0 to CY3 or not by checking the data encryption key table 236 (seeFig. 4 ). As a result of the judgement, if the encryption attribute is specified, thedata TLB 141 commands thecode encryption function 212 to encrypt the memory content by the specified encryption key at a time of the memory writing of a corresponding cache line from theL1 data cache 218 to the memory. - Similarly, in the case of reading, if the target address has the encryption attribute, the
data TLB 141 commands thedata decryption function 219 to decrypt the data by the specified encryption key at a time of the reading of a cache line out to the correspondingL1 data cache 218. - In this embodiment, the data encryption attributes are protected from the illegal rewriting including the privilege of the OS by placing all the data encryption attributes for the data encryption in the registers inside the
microprocessor 101 and saving the contents of the registers at a time of the execution interruption as the context information in a safe form into a memory (themain memory 281 ofFig. 4 , for example) external of themicroprocessor 101. - The data encryption/decryption is carried out in units of the cache line that is interleaved as described above in relation to the context encryption. For this reason, even when one bit of the data on the
L1 cache 114 is rewritten, the other bits in the cache line will be rewritten on the memory. The execution of the data reading/writing is carried out collectively in units of the cache line, so that the increase of the overhead is not so large, but it should be noted that the reading/writing with respect to the encrypted memory regions cannot be carried out in units less than or equal to the cache line size. - In the above, the method for protecting the data by encryption in this embodiment has been described. By this method, on the main memory, it is possible to process the encrypted data by encrypting them inside the processor by using the encryption key and the memory range specified by the application program, and read/write them as plaintext data from a viewpoint of the application.
- Next, two mechanisms for preventing reading of the data stored in a plaintext form in the cache memory inside the processor by a program other than the encrypted programs that has read these data (which will be referred to as the other program) will be described.
- First, the program is identified by its encryption key. This identification is made by using a key object identifier used at a time of decrypting the currently executed instruction inside the processor. Here, a value of the key itself may be used for this identification, but a value of the execution code decryption key has a rather large size of 1024 bits before the decryption or of 128 bits after the decryption which would require an increase of the hardware size, so that the key object identifier which has a total length of only 10 bits is used.
- The
L1 instruction cache 213 in which the decrypted execution codes are to be stored has an attribute memories in correspondences to the cache lines. When the decrypted execution codes are stored into theL1 instruction cache 213 by thecode decryption function 212, the key object identifier is written into the attribute memory. - Also, in the case of reading the encrypted data from the memory and decrypting it, the contents of the data protection attribute registers CY0 to CY3 are read out from the
register file 253 to a protectiontable management function 233 of thedata TLB 141. At this point, the key object identifier corresponding to the currently executed instruction is also read from the current code encryptionkey memory unit 251 at the same time and maintained in the protectiontable management function 233. - Similarly as in the case of the instruction cache, the
data cache 218 has attribute memories in correspondence to the cache lines. When the data read out from the memory is decrypted by thedata decryption function 219 and stored into theL1 data cache 218, the key object identifier is written into the attribute memory from the protectiontable management function 233. - When some instruction is executed and the data referring is carried out, the key object identifier written in the attribute of the data cache and the key object of that instruction in the instruction cache are compared by the secret protection
violation detection unit 256. If they do not coincide, the exception of the secret protection violation occurs and the data referring fails. In the case where the attribute of the data cache indicates a plaintext, the data referring always succeeds. - Note that, when the attributes of the instruction and the data do not coincide, instead of causing the exception, it is also possible to discard the content of this data cache and re-read the data from the memory once again.
- For example, consider program-1 and program-2 for which the execution code encryption key as well as the data protection attribute registers CY0 to CY3 are different. If the encrypted data referred and written into the cache by the program-1 is to be referred by the program-2, the program-2 will read out a different data. This operation is in accord with the purpose of protecting secrets.
- If two programs have the same data encryption key and data at the same address are referred by them, the same data will be read so that this data can be shared between them.
- In this way, in this embodiment, data generated by some program-1 can be protected from being referred by another program-2 by providing a function for maintaining attributes of the instruction to be executed and the data indicating programs to which they originally belong, and comparing the attributes to see if they coincide or not at a time of the data referring due to the instruction execution.
- In this embodiment, the cases where the control can be shifted from the non-protected code to the protected code are limited only to the following two cases:
- (1) the case where the context encrypted by using the execution code encryption key (that is, the context having a random number) that coincides with a restart address is to be restarted; and
- (2) the case where the control is shifted from a non-protected code to an entry gate instruction ("egate" instruction) of the protected code. by the execution of the consecutive codes or by a jump or call instruction.
- This limitation is placed in order to prevent an attacker from obtaining information on code fragments by executing the code from arbitrary position. The procedure for the above (1) has already been described in relation to the context recovery. Namely, the control is shifted to the execution of the protected code only when it is verified that the context information matching with the execution code encryption key of the code that was executed immediately before the interruption is contained, and that the proper signature given by the
microprocessor 101 is attached. - The above (2) is a processing for prohibiting a transition to the execution of the protected code unless a special instruction called entry gate ("egate") instruction is executed at the beginning of the control in the case of shifting the control from the non-protected code to the protected code.
-
Fig. 11 shows a procedure for switching a protection domain based on the entry gate instruction. Themicroprocessor 101 is maintaining the encryption key of the currently executed code in the current code encryption key memory unit 251 (seeFig. 4 ) of theexception processing unit 131. First, whether the value of this key is changed in conjunction with the execution of the instruction or not is judged (step 601), When the change of the key value is detected (step 601 NO), whether the instruction executed in conjunction with the change is an entry gate ("egate") instruction or not is checked next (step S602). If it is the entry gate instruction, it implies that it is a proper instruction so that the control can be shifted to the changed code. Consequently, when it is judged as an entry gate instruction (step 602 YES), this instruction is executed. - On the other hand, when it is judged as not an entry gate instruction (step 602 N0), it implies that the interrupted instruction is an improper instruction. In this case, whether the instruction that was executed immediately previously is an encrypted (protected) instruction or not is judged (step 603). If it is a non-protected instruction, the exception processing can take place directly, but if it is a protected instruction, there is a need to carry out the exception processing while protecting that instruction.
- Consequently, when it is judged as a non-protected instruction (step 603 NO), the exception processing is carried out directly, whereas when it is judged as a protected instruction (step 6003 YES), the non-restartable exception processing is carried out while maintaining the protected state.
- By this limitation of the control shifting, the direct shifting of the control from a plaintext code to a code at a location other than that of the entry gate instruction is prohibited. The context recovery implies the recovery of the state that was already executed once by that program through the entry gate. Consequently, the execution of the protected program must pass through the entry gate. By suppressing locations for placing the entry gate to the minimum necessary number in the program, there is an effect of preventing an attack for guessing a program structure by executing the program from various addresses.
- Also, at this entry gate, the initialization of the data protection attribute registers is carried out. When the entry gate is executed, a random number Kr is loaded into a key region (a region 717-5 in CY3) of the data protection attribute registers CY0 to CY3 717 to 720 shown in
Fig. 9 The encryption target top address is set to "0", the size is set to an upper limit of the memory, and the entire logical address space is set as the encryption target. If the debug attribute is not set in the execution code, the debug bit (717-3 in CY3) is set as non-debugging. - In other words, at a timing of the encryption code execution start, all the memory accesses are encrypted by using the random number Kr determined at a time of the entry gate execution. Also, in the execution code encryption control, the definition in the page table is given a higher priority as already mentioned above. This random number Kr is generated independently from the random number used in the context encryption.
- By this mechanism, a protected program to be newly executed is set to be always encrypted by using a key determined randomly at a time of the start of all the memory accesses.
- Of course, in this state the entire memory region is encrypted so that it is impossible to give parameters of the system call through the memory or exchange data with the other programs. For this reason, the program carries out the processing by sequentially adjusting its own processing environment by setting the data protection attribute registers such that the necessary memory region can be converted into plaintext so that it becomes accessible. By leaving the register CY3 with a lowest priority in the initial setting of being encrypted by using the random number, while setting the encryption key "0" as the plaintext access setting for the other registers, it is possible to reduce a risk of accessing an unnecessary region as a plaintext and writing data to be kept in secret by encryption out to a plaintext region by error.
- The contents of the registers other than the data protection attribute registers are not encrypted even in the initialization at the entry gate, and pointers for specifying locations of stacks or parameters can be stored therein. However, cares should be taken in the processing of the program to be executed through the entry gate so that secrets of the program will not be stolen by calling up the entry gate by setting illegal values into the registers.
- It is also possible to use a configuration for initializing all the registers other than the flags and the program counter, including the general purpose registers other than the data protection attribute registers, at the entry gate in the case of attaching more importance to the safety, even though this provision makes the programming more restricted and the efficiency poorer. Even in this case, the parameters such as stacks can be exchanged through a memory region specified by a relative address or an absolute address of the program counter. Note however that, similarly as in the case of the context saving, the system registers including a part of the flag registers and the task register are excluded from a target of the encryption or the initialization of the registers for the sake of continuation of the OS operation.
- In this way, in the
microprocessor 101 of this embodiment, the fragmental execution of the protected code, especially the illegal setting of the data protection state, is prevented, as the first instruction to be executed at a time of shifting the control from the program in the plaintext state to the protected program is limited to the entry gate instruction and the registers including the data protection attribute registers are initialized by the execution of the entry gate instruction. - Next, the execution control of the protected program will be described. First, the call up and the branching that are closed within the protection domain will be described, The call up within the protection domain is exactly the same as that for the usual programs.
Fig. 13 shows the call up and the branching within the protection domain conceptually. - The execution of the
code 1101 in the protection domain is started as athread 1121 outside the protection domain is branched into an "egate" (entry gate) instruction of the protection domain. By the execution of the "egate" instruction, all the registers are initialized, and then the data protection attributes are set up sequentially by the execution of the program. The control is shifted to a branch target "xxx" 1111 in the protection domain by a "jmp xxx" instruction (processing 1122), and a "call yyy" instruction located at an address "ppp" 1112 is executed (processing 1123). The calling source address "ppp" 1112 is pushed into astack memory 1102, and the control is shifted to a call target "yyy" 1113. When the processing at the call target is completed and a "ret" instruction is executed, the control is shifted to a return address "ppp" 1112 in the stack. There is no limitation on the execution control while the execution code encryption key remains the same. - Next, the call up and the branching from a protection domain to a non-protection domain will be described. For this control shifting, the execution of a special instruction and the operation of the user TSS to be described below will be carried out in order to avoid a shifting from a protection domain to a non-protection domain that is not intended by the program creator and to protect the data protection state.
-
Fig. 14 shows the call up and the branching from a protection domain to a non-protected domain conceptually, where anexecution code 1201 of the protection domain and an execution code 1202 of the non-protection domain are placed in respective domains. Also, auser TSS region 1203 and aregion 1204 for exchanging parameters with the non-protection domain are provided. - The execution begins when a
thread 1221 executes the "egate" instruction. The program of the protection domain saves the address of theuser TSS region 1203 in aprescribed parameter region 1204 before calling up the code of the non-protection domain. Then, the code of the non-protection domain is called up by executing the "ecall" instruction. The "ecall" instruction takes two operands. One is a call target address, and the other is a saving target of the execution state. The "ecall" instruction saves the register state at a time of the call up (or more accurately the register state when the program counter is in a state after the "ecall" instruction is issued) into a region specified by the operand "uTSS", in a format similar to that in the case of the encrypted TSS described above. In the following, this region will be referred to as a user TSS. - The difference between the user TSS and the system TSS lies in that, in the user register shown in
Fig. 10 , a U flag is set in a region 825-2 on the TSS. The difference in the operation will be described later. In the saving of the user TSS into the memory, the data protection attributes defined in the data protection attribute registers CY0 to CY3 by the user are not applied, similarly as in the case of the saving of the context information into the system TSS. - The call target code of the non-protection domain cannot exchange parameters because the registers are initialized by the execution of the "ecall" instruction. For this reason, the parameters are acquired from a prescribed address "param" 1204, and the necessary processing is carried out. There is no limitation on the programming in the non-protection domain. In the example of
Fig. 14 , a sub-routine "qqq" 1213 is called up (processing 1225). The call up from the protection domain can be adapted to the call up semantics of the sub-routine "qqq" by placing an adaptor code for copying stack pointer setting and the parameters to the stack, between "exx" and the call up of "qqq", for example. The processing result is sent to the calling source through theparameter region 1204 on the memory (processing 1226). When the processing of the sub-routine is completed, a "sret" instruction is issued in order to return the control to the calling source protection domain (processing 1227). - The "sret" instruction takes one operand for specifying the user TSS, unlike the "ret" instruction that has no operand. Here, the
user TSS 1203 is specified indirectly as the recovery information through a pointer stored in the parameter region "param" 1204. The recovery of the user TSS by the "sret" instruction largely differs from the recovery of the system TSS in that the task register is not affected at all even when the user TSS is recovered. The task link field of the user TSS will be ignored. The recovery will fail when the system TSS with the U flag 825-2 set to "0" is specified in the operand of the "sret" instruction. - At a time of the execution of the recovery, the decryption of the execution state and the verification of the execution code encryption key and the signature already described above are carried out, and when the violation is detected, the exception of the secret protection violation will occur. When the verification succeeds, the execution is restarted from an instruction next to the calling source "ecall" instruction. This address is encrypted and signed in the user TSS, so that it is cryptographically impossible to forge this address. All the registers except for the program counter will be set back to the state before the call up, so that the code of the protection domain acquires the execution result of the sub-routine "exx" from the
parameter region 1204. - At a time of shifting the control to the non-protection domain after the processing of the protection domain is completed, an "ejmp" instruction is used. The "ejmp" instruction does not carry out the saving of the state, unlike the "ecall" instruction. If the control is shifted from the protection domain to the non-protection domain by the instruction other than "ecall" and "ejmp", such as "jmp" or "call", the exception of the secret protection violation occurs and the encrypted context information is saved in the TSS region (a region indicated by the task register) of the system. Note that the context information will be marked as non-restartable at this point. Note also that specifying an address in the protection domain as a jumping target of the "ejmp" instruction does not cause the violation.
- This completes the description of a procedure for call up from the protection domain to the non-protection domain and newly added instructions used in that procedure.
- At a time of the recovery of the user TSS by the application, an attack for substituting the user TSS by the OS which has privileges is not entirely impossible. However, the interchangeable TSS information in such a case is only the context information whose execution is always started through the "egate" and which is saved by the saving of the execution state caused by the interruption or by the user explicitly, as long as the execution code encryption key of the protection domain is managed correctly. A possibility for the leakage of the secrets of the application due to the interchange of this context information is quite small, and it is quite difficult for an attacker to guess what kind of the context information interchange is necessary in acquiring the secrets of the application.
- The procedure for call up from the protection domain to the non-protection domain described above is also applicable to a procedure for shifting the control between the protection domains, if the instruction to be executed first at the call target is the "egate" instruction of the calling source side.
- In this case, the call up between the protection domains can be carried out safely by encrypting the region for exchanging parameters between these protection domains, by using an encryption key that is shared by carrying out the authentication key exchange between these protection domains in advance.
- As described, according to the microprocessor of the present invention, it becomes possible to prevent the illegal analysis by the OS or a third party by protecting both the execution codes and the processing target data of the execution codes by using the encryption, under the multi-task environment.
- Also, it becomes possible to prevent the illegal rewriting of the encryption attributes in the case of saving the encrypted data.
- Also, it becomes possible to protect the encrypted data from illegal attacks by using arbitrary random number Kr rather than a fixed key as the encryption key for the processing target data.
- Also, it becomes possible to carry out the debugging in the plaintext state, and when errors are found, a feedback on the errors can be provided to the program vendor who knows the execution code encryption key.
- Also, it becomes possible to prevent an increase of the memories in the microprocessor and suppress the cost of the microprocessor by saving information that required the secret protection such as the encryption attribute information on an external memory by attaching a signature of the microprocessor, reading only the necessary portion into the registers inside the microprocessor, and carrying out the verification of the signature at a time of reading. In this scheme, the safety against the substitution at a time of the reading can also be guaranteed.
- It is also to be noted that, besides those already mentioned above, many modifications and variations of the above embodiments may be made without departing from the novel and advantageous features of the present invention. Accordingly, all such modifications and variations are intended to be included within the scope of the appended claims.
Claims (11)
- A microprocessor (101) having a unique secret key and a unique public key corresponding to the unique secret key that cannot be read out to external, comprising:a reading unit (112) configured to read out a plurality of programs encrypted by using different execution code encryption keys from an external memory (282);a decryption unit (113) configured to decrypt the plurality of programs read out by the reading unit (112) by using respective decryption keys;an execution unit (115) configured to execute the plurality of programs decrypted by the decryption unit (113);a context information saving unit (131) configured to save a context information for one program whose execution is to be interrupted, into the external memory (282) or a context information memory provided inside the microprocessor, the context information containing information indicating an execution state of the one program and the execution code encryption key of the one program; anda restart unit (131, 115) configured to restart an execution of the one program by reading out the context information from the external memory (282) or the context information memory, and recovering the execution state of the one program from the context information,wherein the context information saving unit (131(252)) is configured to generate a random number as a temporary key, to encrypt the context information, and to save an encrypted context information into the external memory (282), the encrypted context information containing a first value obtained by encrypting information indicating the execution state of the one program by using the temporary key, a second value obtained by encrypting the temporary key by using the public key, and a third value obtained by encrypting the temporary key by using the execution code encryption key of the one program; and
the restart unit (131, 115) is configured to restart the execution of the one program by reading out the encrypted context information from the external memory (282), decrypting the temporary key from the second value contained in the encrypted context information by using the secret key, decrypting the information indicating the execution state from the first value contained in the encrypted context information by using a decrypted temporary key, and recovering the execution state of the one program from a decrypted context information. - The microprocessor (101) of Claim 1, wherein the restart unit (131, 115) decrypts a first temporary key from the second value contained in the encrypted context information by using the secret key and decrypts the information indicating the execution state from the first value contained in the encrypted context information by using the first decrypted temporary key, while decrypting a second temporary key from the third value contained in the encrypted context information by using the execution code encryption key of the one program, and restarts the execution of the one program only when the first decrypted temporary key coincides with the second decrypted temporary key.
- The microprocessor (101, 2101) according to Claim 1, further comprising:an execution state memory unit (253, 2111) for storing an execution state of a currently executed program; andan execution state initialisation unit (2112) configured to initialise a content of the execution state memory unit (2111) to a prescribed value or encrypts the content of the execution state memory unit (2111), before an execution of another program starts after the one program is interrupted.
- The microprocessor (101) according to Claim 1, further comprising:a key reading unit (257) configured to read out the execution code encryption key of each program that is encrypted by using the public key in advance, from the external memory (282); anda key decryption unit (257) configured to decrypt the execution code encryption key read out by the key reading unit (257), by using the secret key;wherein the decryption unit (113) decrypts each program by using the execution code encryption code encryption key as a decryption key.
- The microprocessor (101, 2101) according to Claim 1, further comprising:an execution state memory unit (253, 2111) for storing an execution state or a currently executed program and an encryption attributes for data to be processed by the currently executed program; anda data encryption unit (1113(220)) configured to encrypt the data to be processed by the currently executed program according to the encryption attributes stored in the execution state memory unit (253, 2111).
- The microprocessor according to any preceding claim, comprising:an execution state memory unit (253, 2111) for storing an execution state of a currently executed program, encryption attributes for data to be processed by the currently executed program, and an encryption attribute specifying information for specifying the encryption attributes;a related information writing unit (257) configured to write a related information related to the encryption attribute specifying information and containing a signature obtained by using the secret key, into the external memory (282);a related information reading unit (257) configured to read out the related information from the external memory (282) according to an address of a data to be referred by the currently executed program;a data referring permission unit (257) configured to verify the signature contained in the related information by using the public key, and to permit a data referring by the currently executed program by determining an encryption key and an algorithm to be used for the data referring according to the related information and the encryption attribute specifying information, only when the signature contained in the related information coincides with an original signature of the microprocessor; anda data encryption unit (113; 220) configured to encrypt the data to be referred by the currently executed program according to the encryption attributes stored in the execution state memory unit (253, 2111).
- The microprocessor (101) according to any preceding claim, comprising:a cache memory (114) for caching plaintext instructions and plaintext data for the plurality of programs in units of cache lines, the cache memory (114) having an attribute area for each cache line indicating a decryption key identifier for uniquely identifying a decryption key used in decrypting each program whose instructions are cached in each cache line or each program whose execution has caused caching of the plaintext data in each cache line;a cache access control unit (131) configured to permit a data referring caused by an execution of one cached program stored in one cache line with respect to one cached data in another cache line, only when the decryption key identifier indicated by the encryption attribute for the one cache line coincides with the decryption key identifier indicated by the encryption attribute for the another cache line.
- The microprocessor (101) of Claim 7, wherein when the data referring is not permitted, new data are cached into the another cached line from the external memory (282).
- The microprocessor (101) of Claim 7, wherein when the data referring is not permitted, an execution of the one cached program is interrupted by a protection exception.
- The microprocessor according to any preceding claim, wherein the execution unit (115, 2112) also executes plaintext programs, and has a debugging function for causing an exception when an execution of a program at a specific address or address region or a data referring to a data at the specific address or address region occurs during an execution of a plaintext program, the debugging function being invalidated during an execution of an encrypted program.
- The microprocessor (101, 2101) according to any preceding claim, wherein constituent elements of the microprocessor are contained in a single chip or a single package.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2000035898A JP3801833B2 (en) | 2000-02-14 | 2000-02-14 | Microprocessor |
JP2000035898 | 2000-02-14 | ||
JP2000135010 | 2000-05-08 | ||
JP2000135010A JP4226760B2 (en) | 2000-05-08 | 2000-05-08 | Microprocessor, multitask execution method using the same, and multired execution method |
Publications (3)
Publication Number | Publication Date |
---|---|
EP1126356A2 EP1126356A2 (en) | 2001-08-22 |
EP1126356A3 EP1126356A3 (en) | 2003-01-08 |
EP1126356B1 true EP1126356B1 (en) | 2008-09-10 |
Family
ID=26585335
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP01301241A Expired - Lifetime EP1126356B1 (en) | 2000-02-14 | 2001-02-14 | Tamper resistant microprocessor |
EP01301240A Ceased EP1126355A1 (en) | 2000-02-14 | 2001-02-14 | Method and system for distributing programs using tamper resistant processor |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP01301240A Ceased EP1126355A1 (en) | 2000-02-14 | 2001-02-14 | Method and system for distributing programs using tamper resistant processor |
Country Status (5)
Country | Link |
---|---|
US (3) | US6983374B2 (en) |
EP (2) | EP1126356B1 (en) |
KR (2) | KR100362219B1 (en) |
CN (2) | CN1220121C (en) |
DE (1) | DE60135695D1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9087000B2 (en) | 2003-11-26 | 2015-07-21 | Intel Corporation | Accessing private data about the state of a data processing machine from storage that is publicly accessible |
Families Citing this family (207)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7600131B1 (en) | 1999-07-08 | 2009-10-06 | Broadcom Corporation | Distributed processing in a cryptography acceleration chip |
US6983374B2 (en) | 2000-02-14 | 2006-01-03 | Kabushiki Kaisha Toshiba | Tamper resistant microprocessor |
US6895506B1 (en) * | 2000-05-16 | 2005-05-17 | Loay Abu-Husein | Secure storage and execution of processor control programs by encryption and a program loader/decryption mechanism |
US6986052B1 (en) | 2000-06-30 | 2006-01-10 | Intel Corporation | Method and apparatus for secure execution using a secure memory partition |
FR2817067B1 (en) * | 2000-11-21 | 2003-02-21 | Cyber Comm | METHOD AND DEVICE FOR AUTHENTICATING ELECTRONIC DOCUMENTS USING A DIGITAL SIGNATURE |
US20020114457A1 (en) * | 2001-01-26 | 2002-08-22 | Takahiro Sato | LSI having interpreter function and information recording/reproducing apparatus using the same |
US7428636B1 (en) * | 2001-04-26 | 2008-09-23 | Vmware, Inc. | Selective encryption system and method for I/O operations |
US7260820B1 (en) | 2001-04-26 | 2007-08-21 | Vm Ware, Inc. | Undefeatable transformation for virtual machine I/O operations |
KR100614433B1 (en) * | 2001-05-14 | 2006-08-22 | 엔티티 도꼬모 인코퍼레이티드 | Application management server, mobile terminal and application management method |
US7478266B2 (en) * | 2001-05-21 | 2009-01-13 | Mudalla Technology, Inc. | Method and apparatus for fast transaction commit over unreliable networks |
US7979740B2 (en) * | 2001-05-21 | 2011-07-12 | Mudalla Technology, Inc. | Gaming machine having game play suspension and resumption features using biometrically-based authentication and method of operating same |
US7051332B2 (en) * | 2001-05-21 | 2006-05-23 | Cyberscan Technology, Inc. | Controller having a restart engine configured to initiate a controller restart cycle upon receipt of a timeout signal from a watchdog timer |
US7237121B2 (en) * | 2001-09-17 | 2007-06-26 | Texas Instruments Incorporated | Secure bootloader for securing digital devices |
US7181530B1 (en) * | 2001-07-27 | 2007-02-20 | Cisco Technology, Inc. | Rogue AP detection |
JP2003051819A (en) * | 2001-08-08 | 2003-02-21 | Toshiba Corp | Microprocessor |
WO2003027816A1 (en) * | 2001-09-28 | 2003-04-03 | High Density Devices As | Method and device for encryption/decryption of data on mass storage device |
JP4226816B2 (en) * | 2001-09-28 | 2009-02-18 | 株式会社東芝 | Microprocessor |
JP2005512170A (en) * | 2001-11-12 | 2005-04-28 | ネットワーク リサーチ ラブ リミテッド | Information protection method and apparatus against unauthorized use |
US20030115471A1 (en) * | 2001-12-19 | 2003-06-19 | Skeba Kirk W. | Method and apparatus for building operational radio firmware using incrementally certified modules |
KR100458515B1 (en) * | 2001-12-21 | 2004-12-03 | 한국전자통신연구원 | System and method that can facilitate secure installation of JAVA application for mobile client through wireless internet |
US7305567B1 (en) * | 2002-03-01 | 2007-12-04 | Cavium Networks, In. | Decoupled architecture for data ciphering operations |
KR20030075018A (en) * | 2002-03-15 | 2003-09-22 | 주식회사 셈틀로미디어 | Device for generating tamper-resistant software and methods for self-integrity checking the software file and server-aided integrity checking in client-server environment |
US7900054B2 (en) * | 2002-03-25 | 2011-03-01 | Intel Corporation | Security protocols for processor-based systems |
JP2003330365A (en) * | 2002-05-09 | 2003-11-19 | Toshiba Corp | Method for distributing/receiving contents |
KR100619657B1 (en) | 2002-06-05 | 2006-09-08 | 후지쯔 가부시끼가이샤 | Memory managing unit, code verifying device, and code decoder |
US7392415B2 (en) * | 2002-06-26 | 2008-06-24 | Intel Corporation | Sleep protection |
EP1542112A4 (en) * | 2002-07-09 | 2008-04-09 | Fujitsu Ltd | Open type general-purpose attack-resistant cpu, and application system thereof |
US20040017918A1 (en) * | 2002-07-24 | 2004-01-29 | Christophe Nicolas | Process for point-to-point secured transmission of data and electronic module for implementing the process |
JP2004054834A (en) | 2002-07-24 | 2004-02-19 | Matsushita Electric Ind Co Ltd | Program development method, program development support device, and program packaging method |
EP1429224A1 (en) * | 2002-12-10 | 2004-06-16 | Texas Instruments Incorporated | Firmware run-time authentication |
JP4099039B2 (en) * | 2002-11-15 | 2008-06-11 | 松下電器産業株式会社 | Program update method |
US7137109B2 (en) * | 2002-12-17 | 2006-11-14 | Hewlett-Packard Development Company, L.P. | System and method for managing access to a controlled space in a simulator environment |
US7568110B2 (en) | 2002-12-18 | 2009-07-28 | Broadcom Corporation | Cryptography accelerator interface decoupling from cryptography processing cores |
US20040123120A1 (en) * | 2002-12-18 | 2004-06-24 | Broadcom Corporation | Cryptography accelerator input interface data handling |
US7434043B2 (en) | 2002-12-18 | 2008-10-07 | Broadcom Corporation | Cryptography accelerator data routing unit |
US20040123123A1 (en) * | 2002-12-18 | 2004-06-24 | Buer Mark L. | Methods and apparatus for accessing security association information in a cryptography accelerator |
US7512811B2 (en) * | 2003-01-14 | 2009-03-31 | Canon Kabushiki Kaisha | Encryption/decryption method for data limited in value range, apparatus and program therefor |
JP3880933B2 (en) * | 2003-01-21 | 2007-02-14 | 株式会社東芝 | Data access control method using tamper resistant microprocessor and cache memory processor |
US7370319B2 (en) * | 2003-02-11 | 2008-05-06 | V.I. Laboratories, Inc. | System and method for regulating execution of computer software |
US8225290B2 (en) * | 2003-02-11 | 2012-07-17 | V. i. Laboratories, Inc. | Systems and methods for regulating execution of computer software |
US7529368B2 (en) * | 2003-04-18 | 2009-05-05 | Via Technologies, Inc. | Apparatus and method for performing transparent output feedback mode cryptographic functions |
US7321910B2 (en) * | 2003-04-18 | 2008-01-22 | Ip-First, Llc | Microprocessor apparatus and method for performing block cipher cryptographic functions |
US7900055B2 (en) * | 2003-04-18 | 2011-03-01 | Via Technologies, Inc. | Microprocessor apparatus and method for employing configurable block cipher cryptographic algorithms |
US7529367B2 (en) * | 2003-04-18 | 2009-05-05 | Via Technologies, Inc. | Apparatus and method for performing transparent cipher feedback mode cryptographic functions |
US7532722B2 (en) * | 2003-04-18 | 2009-05-12 | Ip-First, Llc | Apparatus and method for performing transparent block cipher cryptographic functions |
US8060755B2 (en) * | 2003-04-18 | 2011-11-15 | Via Technologies, Inc | Apparatus and method for providing user-generated key schedule in a microprocessor cryptographic engine |
US7542566B2 (en) * | 2003-04-18 | 2009-06-02 | Ip-First, Llc | Apparatus and method for performing transparent cipher block chaining mode cryptographic functions |
US7844053B2 (en) * | 2003-04-18 | 2010-11-30 | Ip-First, Llc | Microprocessor apparatus and method for performing block cipher cryptographic functions |
US7392400B2 (en) * | 2003-04-18 | 2008-06-24 | Via Technologies, Inc. | Microprocessor apparatus and method for optimizing block cipher cryptographic functions |
US7536560B2 (en) * | 2003-04-18 | 2009-05-19 | Via Technologies, Inc. | Microprocessor apparatus and method for providing configurable cryptographic key size |
US7519833B2 (en) * | 2003-04-18 | 2009-04-14 | Via Technologies, Inc. | Microprocessor apparatus and method for enabling configurable data block size in a cryptographic engine |
US7502943B2 (en) * | 2003-04-18 | 2009-03-10 | Via Technologies, Inc. | Microprocessor apparatus and method for providing configurable cryptographic block cipher round results |
US7539876B2 (en) * | 2003-04-18 | 2009-05-26 | Via Technologies, Inc. | Apparatus and method for generating a cryptographic key schedule in a microprocessor |
US7925891B2 (en) * | 2003-04-18 | 2011-04-12 | Via Technologies, Inc. | Apparatus and method for employing cryptographic functions to generate a message digest |
GB2403562A (en) * | 2003-07-04 | 2005-01-05 | Hewlett Packard Development Co | Secure processing environment in which executable code for services is only received by a secure loading process through the service request interface |
US7366302B2 (en) * | 2003-08-25 | 2008-04-29 | Sony Corporation | Apparatus and method for an iterative cryptographic block |
CN1871568B (en) | 2003-08-26 | 2010-04-28 | 松下电器产业株式会社 | Program execution device |
JP4263976B2 (en) * | 2003-09-24 | 2009-05-13 | 株式会社東芝 | On-chip multi-core tamper resistant processor |
US7681046B1 (en) | 2003-09-26 | 2010-03-16 | Andrew Morgan | System with secure cryptographic capabilities using a hardware specific digital secret |
TWI274280B (en) * | 2003-09-29 | 2007-02-21 | Via Tech Inc | Microprocessor apparatus and method for employing configurable block cipher cryptographic algorithms |
TWI247241B (en) * | 2003-09-29 | 2006-01-11 | Ip First Llc | Microprocessor apparatus and method for performing block cipher cryptographic functions |
US7694151B1 (en) * | 2003-11-20 | 2010-04-06 | Johnson Richard C | Architecture, system, and method for operating on encrypted and/or hidden information |
TWI274281B (en) * | 2003-12-04 | 2007-02-21 | Ip First Llc | Apparatus and method for performing transparent block cipher cryptographic functions |
JP4282472B2 (en) * | 2003-12-26 | 2009-06-24 | 株式会社東芝 | Microprocessor |
CN1661958B (en) * | 2004-03-15 | 2010-04-28 | 威盛电子股份有限公司 | Microprocessor apparatus of block cryptographic functions and method |
JP2007535067A (en) * | 2004-04-29 | 2007-11-29 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Intrusion detection during program execution on a computer |
US9219729B2 (en) | 2004-05-19 | 2015-12-22 | Philip Drope | Multimedia network system with content importation, content exportation, and integrated content management |
JP2005346182A (en) * | 2004-05-31 | 2005-12-15 | Fujitsu Ltd | Information processor, tamper resistant method, and tamper resistant program |
US20050276413A1 (en) * | 2004-06-14 | 2005-12-15 | Raja Neogi | Method and apparatus to manage heterogeneous cryptographic operations |
CN100353276C (en) * | 2004-06-24 | 2007-12-05 | 株式会社东芝 | Microprocessor |
JP4612461B2 (en) * | 2004-06-24 | 2011-01-12 | 株式会社東芝 | Microprocessor |
JP4559794B2 (en) * | 2004-06-24 | 2010-10-13 | 株式会社東芝 | Microprocessor |
CN100354787C (en) * | 2004-06-24 | 2007-12-12 | 株式会社东芝 | Microprocessor |
JP4447977B2 (en) | 2004-06-30 | 2010-04-07 | 富士通マイクロエレクトロニクス株式会社 | Secure processor and program for secure processor. |
JP4490192B2 (en) * | 2004-07-02 | 2010-06-23 | 株式会社エヌ・ティ・ティ・ドコモ | Multitask execution system |
JP4204522B2 (en) * | 2004-07-07 | 2009-01-07 | 株式会社東芝 | Microprocessor |
JP2006023957A (en) * | 2004-07-07 | 2006-01-26 | Sony Corp | Semiconductor integrated circuit and information processor |
US20060136717A1 (en) | 2004-12-20 | 2006-06-22 | Mark Buer | System and method for authentication via a proximate device |
US8295484B2 (en) * | 2004-12-21 | 2012-10-23 | Broadcom Corporation | System and method for securing data from a remote input device |
JP2006202017A (en) * | 2005-01-20 | 2006-08-03 | Sharp Corp | Information processor, information storage device, function expansion system for information processor, function expansion method and function deletion method for information processor, and function expansion program and function deletion program for information processor |
EP1717723A1 (en) | 2005-04-29 | 2006-11-02 | ST Incard S.r.l. | Improved virtual machine or hardware processor for IC-card portable electronic devices |
JP2006311462A (en) * | 2005-05-02 | 2006-11-09 | Toshiba Corp | Apparatus and method for retrieval contents |
US20060259828A1 (en) | 2005-05-16 | 2006-11-16 | Texas Instruments Incorporated | Systems and methods for controlling access to secure debugging and profiling features of a computer system |
US9633213B2 (en) * | 2005-05-16 | 2017-04-25 | Texas Instruments Incorporated | Secure emulation logic between page attribute table and test interface |
US7874009B2 (en) * | 2005-05-26 | 2011-01-18 | Panasonic Corporation | Data processing device |
US7571298B2 (en) * | 2005-06-30 | 2009-08-04 | Intel Corporation | Systems and methods for host virtual memory reconstitution |
US7953980B2 (en) * | 2005-06-30 | 2011-05-31 | Intel Corporation | Signed manifest for run-time verification of software program identity and integrity |
US7669242B2 (en) * | 2005-06-30 | 2010-02-23 | Intel Corporation | Agent presence monitor configured to execute in a secure environment |
US8839450B2 (en) * | 2007-08-02 | 2014-09-16 | Intel Corporation | Secure vault service for software components within an execution environment |
US20070006307A1 (en) * | 2005-06-30 | 2007-01-04 | Hahn Scott D | Systems, apparatuses and methods for a host software presence check from an isolated partition |
EP1752937A1 (en) | 2005-07-29 | 2007-02-14 | Research In Motion Limited | System and method for encrypted smart card PIN entry |
JP2007058588A (en) * | 2005-08-24 | 2007-03-08 | Toshiba Corp | Processor having program protection function |
US8171268B2 (en) * | 2005-09-19 | 2012-05-01 | Intel Corporation | Technique for context state management to reduce save and restore operations between a memory and a processor using in-use vectors |
US20070067590A1 (en) * | 2005-09-22 | 2007-03-22 | Uday Savagaonkar | Providing protected access to critical memory regions |
US7496727B1 (en) | 2005-12-06 | 2009-02-24 | Transmeta Corporation | Secure memory access system and method |
US20070168680A1 (en) * | 2006-01-13 | 2007-07-19 | Lockheed Martin Corporation | Anti-tamper system |
US7428306B2 (en) * | 2006-04-18 | 2008-09-23 | International Business Machines Corporation | Encryption apparatus and method for providing an encrypted file system |
US7681047B2 (en) * | 2006-04-18 | 2010-03-16 | International Business Machines Corporation | Decryption of data in storage systems |
US7945789B2 (en) * | 2006-09-12 | 2011-05-17 | International Business Machines Corporation | System and method for securely restoring a program context from a shared memory |
US7660769B2 (en) | 2006-09-12 | 2010-02-09 | International Business Machines Corporation | System and method for digital content player with secure processing vault |
US8095802B2 (en) * | 2006-09-12 | 2012-01-10 | International Business Machines Corporation | System and method for securely saving a program context to a shared memory |
US8190917B2 (en) | 2006-09-12 | 2012-05-29 | International Business Machines Corporation | System and method for securely saving and restoring a context of a secure program loader |
CN101981580B (en) * | 2006-09-20 | 2014-07-09 | 陈锦夫 | From polymorphic executable to polymorphic operating system |
US7802050B2 (en) * | 2006-09-29 | 2010-09-21 | Intel Corporation | Monitoring a target agent execution pattern on a VT-enabled system |
US7882318B2 (en) * | 2006-09-29 | 2011-02-01 | Intel Corporation | Tamper protection of software agents operating in a vitual technology environment methods and apparatuses |
US20080141382A1 (en) * | 2006-12-12 | 2008-06-12 | Lockheed Martin Corporation | Anti-tamper device |
US8495383B2 (en) * | 2006-12-14 | 2013-07-23 | Nokia Corporation | Method for the secure storing of program state data in an electronic device |
US8245307B1 (en) * | 2006-12-18 | 2012-08-14 | Nvidia Corporation | Providing secure access to a secret |
US20080148061A1 (en) * | 2006-12-19 | 2008-06-19 | Hongxia Jin | Method for effective tamper resistance |
US20080155273A1 (en) * | 2006-12-21 | 2008-06-26 | Texas Instruments, Inc. | Automatic Bus Encryption And Decryption |
US7949130B2 (en) * | 2006-12-28 | 2011-05-24 | Intel Corporation | Architecture and instruction set for implementing advanced encryption standard (AES) |
US20080229117A1 (en) * | 2007-03-07 | 2008-09-18 | Shin Kang G | Apparatus for preventing digital piracy |
EP1978466A1 (en) * | 2007-04-05 | 2008-10-08 | STMicroelectronics (Research & Development) Limited | Integrated circuit and method for secure execution of software |
KR101405915B1 (en) | 2007-04-26 | 2014-06-12 | 삼성전자주식회사 | Method for writing data by encryption and reading the data thereof |
US20100088528A1 (en) * | 2007-05-03 | 2010-04-08 | Radu Sion | Method and apparatus for tamper-proof wirte-once-read-many computer storage |
EP2015561A1 (en) * | 2007-07-10 | 2009-01-14 | Nagracard S.A. | Method of sending executable code to a reception device and method of executing this code |
US8312518B1 (en) * | 2007-09-27 | 2012-11-13 | Avaya Inc. | Island of trust in a service-oriented environment |
JP5201716B2 (en) * | 2007-09-28 | 2013-06-05 | 東芝ソリューション株式会社 | Cryptographic module distribution system, cryptographic management server device, cryptographic processing device, client device, cryptographic management program, cryptographic processing program, and client program |
US8539098B2 (en) | 2007-10-17 | 2013-09-17 | Dispersive Networks, Inc. | Multiplexed client server (MCS) communications and systems |
US8560634B2 (en) * | 2007-10-17 | 2013-10-15 | Dispersive Networks, Inc. | Apparatus, systems and methods utilizing dispersive networking |
US8099718B2 (en) * | 2007-11-13 | 2012-01-17 | Intel Corporation | Method and system for whitelisting software components |
JP4976991B2 (en) * | 2007-11-22 | 2012-07-18 | 株式会社東芝 | Information processing apparatus, program verification method, and program |
US8819839B2 (en) | 2008-05-24 | 2014-08-26 | Via Technologies, Inc. | Microprocessor having a secure execution mode with provisions for monitoring, indicating, and managing security levels |
US8607034B2 (en) * | 2008-05-24 | 2013-12-10 | Via Technologies, Inc. | Apparatus and method for disabling a microprocessor that provides for a secure execution mode |
US8175265B2 (en) | 2008-09-02 | 2012-05-08 | Apple Inc. | Systems and methods for implementing block cipher algorithms on attacker-controlled systems |
US8745411B2 (en) * | 2008-11-07 | 2014-06-03 | Broadcom Corporation | Protecting external volatile memories using low latency encryption/decryption |
JP5322620B2 (en) | 2008-12-18 | 2013-10-23 | 株式会社東芝 | Information processing apparatus, program development system, program verification method, and program |
US8364601B2 (en) * | 2008-12-31 | 2013-01-29 | Intel Corporation | Methods and systems to directly render an image and correlate corresponding user input in a secure memory domain |
US9298894B2 (en) * | 2009-06-26 | 2016-03-29 | International Business Machines Corporation | Cache structure for a computer system providing support for secure objects |
US8578175B2 (en) | 2011-02-23 | 2013-11-05 | International Business Machines Corporation | Secure object having protected region, integrity tree, and unprotected region |
US8954752B2 (en) | 2011-02-23 | 2015-02-10 | International Business Machines Corporation | Building and distributing secure object software |
US8819446B2 (en) | 2009-06-26 | 2014-08-26 | International Business Machines Corporation | Support for secure objects in a computer system |
US9846789B2 (en) | 2011-09-06 | 2017-12-19 | International Business Machines Corporation | Protecting application programs from malicious software or malware |
US9954875B2 (en) | 2009-06-26 | 2018-04-24 | International Business Machines Corporation | Protecting from unintentional malware download |
US8812872B2 (en) | 2010-02-08 | 2014-08-19 | Hypertech Co., Ltd. | Memory managment method |
WO2011101972A1 (en) | 2010-02-18 | 2011-08-25 | 株式会社東芝 | Program |
DE102010010851A1 (en) * | 2010-03-10 | 2011-09-15 | Giesecke & Devrient Gmbh | Spying protection when executing an operation sequence in a portable data carrier |
US8370648B1 (en) * | 2010-03-15 | 2013-02-05 | Emc International Company | Writing and reading encrypted data using time-based encryption keys |
US20110258430A1 (en) * | 2010-04-15 | 2011-10-20 | Nokia Corporation | Method and apparatus for applying execution context criteria for execution context sharing |
TWI497344B (en) * | 2010-05-17 | 2015-08-21 | Via Tech Inc | Microprocessor and method for generating unpredictable key |
US8639945B2 (en) | 2010-05-25 | 2014-01-28 | Via Technologies, Inc. | Branch and switch key instruction in a microprocessor that fetches and decrypts encrypted instructions |
US9967092B2 (en) | 2010-05-25 | 2018-05-08 | Via Technologies, Inc. | Key expansion logic using decryption key primitives |
US9911008B2 (en) | 2010-05-25 | 2018-03-06 | Via Technologies, Inc. | Microprocessor with on-the-fly switching of decryption keys |
US9798898B2 (en) | 2010-05-25 | 2017-10-24 | Via Technologies, Inc. | Microprocessor with secure execution mode and store key instructions |
US9892283B2 (en) | 2010-05-25 | 2018-02-13 | Via Technologies, Inc. | Decryption of encrypted instructions using keys selected on basis of instruction fetch address |
US8990582B2 (en) * | 2010-05-27 | 2015-03-24 | Cisco Technology, Inc. | Virtual machine memory compartmentalization in multi-core architectures |
US8812871B2 (en) * | 2010-05-27 | 2014-08-19 | Cisco Technology, Inc. | Method and apparatus for trusted execution in infrastructure as a service cloud environments |
JP5171907B2 (en) * | 2010-09-13 | 2013-03-27 | 株式会社東芝 | Information processing apparatus and information processing program |
JP2012080295A (en) * | 2010-09-30 | 2012-04-19 | Toshiba Corp | Information storage device, information storage method, and electronic device |
JP2012084071A (en) | 2010-10-14 | 2012-04-26 | Toshiba Corp | Digital content protection method, decryption method, reproducing device, memory medium and cryptographic device |
US8955110B1 (en) | 2011-01-14 | 2015-02-10 | Robert W. Twitchell, Jr. | IP jamming systems utilizing virtual dispersive networking |
US8941659B1 (en) | 2011-01-28 | 2015-01-27 | Rescon Ltd | Medical symptoms tracking apparatus, methods and systems |
US9864853B2 (en) | 2011-02-23 | 2018-01-09 | International Business Machines Corporation | Enhanced security mechanism for authentication of users of a system |
US8839001B2 (en) * | 2011-07-06 | 2014-09-16 | The Boeing Company | Infinite key memory transaction unit |
US8661527B2 (en) | 2011-08-31 | 2014-02-25 | Kabushiki Kaisha Toshiba | Authenticator, authenticatee and authentication method |
US9166953B2 (en) * | 2011-10-31 | 2015-10-20 | Nokia Technologies Oy | Method and apparatus for providing identity based encryption in distributed computations |
US20130108038A1 (en) * | 2011-11-01 | 2013-05-02 | Apple Inc. | System and method for a collatz based hash function |
JP5275432B2 (en) | 2011-11-11 | 2013-08-28 | 株式会社東芝 | Storage medium, host device, memory device, and system |
CN102509048A (en) * | 2011-11-14 | 2012-06-20 | 西安电子科技大学 | Method for preventing illegal transferring of interruption procedures of operating system |
JP5112555B1 (en) | 2011-12-02 | 2013-01-09 | 株式会社東芝 | Memory card, storage media, and controller |
JP5204291B1 (en) | 2011-12-02 | 2013-06-05 | 株式会社東芝 | Host device, device, system |
JP5204290B1 (en) | 2011-12-02 | 2013-06-05 | 株式会社東芝 | Host device, system, and device |
JP5100884B1 (en) | 2011-12-02 | 2012-12-19 | 株式会社東芝 | Memory device |
CN102521037B (en) * | 2011-12-05 | 2013-12-25 | 晶门科技(深圳)有限公司 | Cryptology algorithm coprocessor with double context memories and method for processing data stream |
JP5275482B2 (en) | 2012-01-16 | 2013-08-28 | 株式会社東芝 | Storage medium, host device, memory device, and system |
US8954755B2 (en) | 2012-01-23 | 2015-02-10 | International Business Machines Corporation | Memory address translation-based data encryption with integrated encryption engine |
EP2653992A1 (en) | 2012-04-17 | 2013-10-23 | Itron, Inc. | Microcontroller configured for external memory decryption |
JP6201298B2 (en) * | 2012-11-14 | 2017-09-27 | オムロン株式会社 | Controller and program |
US9183161B2 (en) * | 2012-12-28 | 2015-11-10 | Intel Corporation | Apparatus and method for page walk extension for enhanced security checks |
US9201811B2 (en) | 2013-02-14 | 2015-12-01 | Kabushiki Kaisha Toshiba | Device and authentication method therefor |
US8984294B2 (en) | 2013-02-15 | 2015-03-17 | Kabushiki Kaisha Toshiba | System of authenticating an individual memory device via reading data including prohibited data and readable data |
US11044076B2 (en) * | 2013-02-25 | 2021-06-22 | Hecusys, LLC | Encrypted data processing |
US9280490B2 (en) * | 2013-04-17 | 2016-03-08 | Laurence H. Cooke | Secure computing |
US9846656B2 (en) | 2013-04-17 | 2017-12-19 | Laurence H. Cooke | Secure computing |
US9547767B2 (en) * | 2013-11-13 | 2017-01-17 | Via Technologies, Inc. | Event-based apparatus and method for securing bios in a trusted computing system during execution |
US10055588B2 (en) * | 2013-11-13 | 2018-08-21 | Via Technologies, Inc. | Event-based apparatus and method for securing BIOS in a trusted computing system during execution |
US9223965B2 (en) | 2013-12-10 | 2015-12-29 | International Business Machines Corporation | Secure generation and management of a virtual card on a mobile device |
US9235692B2 (en) | 2013-12-13 | 2016-01-12 | International Business Machines Corporation | Secure application debugging |
TWI712915B (en) | 2014-06-12 | 2020-12-11 | 美商密碼研究公司 | Methods of executing a cryptographic operation, and computer-readable non-transitory storage medium |
US9954849B2 (en) * | 2014-06-27 | 2018-04-24 | Oath (Americas) Inc. | Systems and methods for managing secure sharing of online advertising data |
WO2016027121A1 (en) * | 2014-08-20 | 2016-02-25 | Intel Corporation | Encrypted code execution |
US9967319B2 (en) * | 2014-10-07 | 2018-05-08 | Microsoft Technology Licensing, Llc | Security context management in multi-tenant environments |
GB2531770A (en) * | 2014-10-30 | 2016-05-04 | Ibm | Confidential Extracting System Internal Data |
US9418246B2 (en) * | 2014-12-15 | 2016-08-16 | Freescale Semiconductor, Inc. | Decryption systems and related methods for on-the-fly decryption within integrated circuits |
US9729319B2 (en) * | 2014-12-15 | 2017-08-08 | Nxp Usa, Inc. | Key management for on-the-fly hardware decryption within integrated circuits |
JP2016181836A (en) * | 2015-03-24 | 2016-10-13 | キヤノン株式会社 | Information processor, cryptographic device, control method of information processor and program |
US10311229B1 (en) * | 2015-05-18 | 2019-06-04 | Amazon Technologies, Inc. | Mitigating timing side-channel attacks by obscuring alternatives in code |
US10868665B1 (en) * | 2015-05-18 | 2020-12-15 | Amazon Technologies, Inc. | Mitigating timing side-channel attacks by obscuring accesses to sensitive data |
CN105530088A (en) * | 2015-09-01 | 2016-04-27 | 北京中电华大电子设计有限责任公司 | Safe JAVA card secret key storage method |
US10297003B2 (en) * | 2015-09-21 | 2019-05-21 | Qualcomm Incorporated | Efficient saving and restoring of context information for context switches |
US9449189B1 (en) * | 2015-11-03 | 2016-09-20 | International Business Machines Corporation | Protection of state data in computer system code |
US10210040B2 (en) | 2016-01-28 | 2019-02-19 | Nxp Usa, Inc. | Multi-dimensional parity checker (MDPC) systems and related methods for external memories |
US9418327B1 (en) | 2016-01-29 | 2016-08-16 | International Business Machines Corporation | Security key system |
EP3443432A4 (en) * | 2016-04-12 | 2020-04-01 | Guardknox Cyber Technologies Ltd. | Specially programmed computing systems with associated devices configured to implement secure lockdowns and methods of use thereof |
KR101855905B1 (en) * | 2016-07-15 | 2018-06-19 | 주식회사 마크애니 | Video export processing server, video export web server and video export management system, and digital video integraty verification method for encrypted videos |
DE102016009439A1 (en) * | 2016-08-03 | 2018-02-08 | Giesecke+Devrient Mobile Security Gmbh | Individual encryption of control commands |
CN107066331B (en) * | 2016-12-20 | 2021-05-18 | 华为技术有限公司 | TrustZone-based resource allocation method and equipment |
DE102017212618B3 (en) | 2017-07-21 | 2018-12-13 | Bundesdruckerei Gmbh | Hardware system with blockchain |
FR3069935A1 (en) * | 2017-08-01 | 2019-02-08 | Maxim Integrated Products, Inc. | DEVICES AND METHODS FOR INTELLECTUAL PROPERTY PROTECTION OF SOFTWARE FOR INTEGRATED PLATFORMS |
KR20190075363A (en) * | 2017-12-21 | 2019-07-01 | 삼성전자주식회사 | Semiconductor memory device, memory system and memory module including the same |
GB2572579B (en) * | 2018-04-04 | 2020-09-16 | Advanced Risc Mach Ltd | Speculative side-channel hint instruction |
US11113424B2 (en) | 2019-05-07 | 2021-09-07 | Motorola Solutions, Inc. | Device, system and method for installing encrypted data |
JP7249968B2 (en) * | 2020-03-09 | 2023-03-31 | 株式会社東芝 | Information processing equipment and storage |
US11502832B2 (en) | 2020-06-04 | 2022-11-15 | PUFsecurity Corporation | Electronic device capable of protecting confidential data |
KR102512342B1 (en) * | 2021-02-23 | 2023-03-22 | 엘아이지넥스원 주식회사 | Method and Apparatus for Checking Inspection Objects That Processes Encryption or Decryption by Storing The Secret Key in The Cache Memory |
US11868275B2 (en) | 2021-06-24 | 2024-01-09 | International Business Machines Corporation | Encrypted data processing design including local buffers |
US12008150B2 (en) * | 2021-06-24 | 2024-06-11 | International Business Machines Corporation | Encrypted data processing design including cleartext register files |
Family Cites Families (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4168396A (en) | 1977-10-31 | 1979-09-18 | Best Robert M | Microprocessor for executing enciphered programs |
US4558176A (en) * | 1982-09-20 | 1985-12-10 | Arnold Mark G | Computer systems to inhibit unauthorized copying, unauthorized usage, and automated cracking of protected software |
US4847902A (en) * | 1984-02-10 | 1989-07-11 | Prime Computer, Inc. | Digital computer system for executing encrypted programs |
EP0175487A3 (en) * | 1984-08-23 | 1989-03-08 | Btg International Limited | Software protection device |
US4757533A (en) * | 1985-09-11 | 1988-07-12 | Computer Security Corporation | Security system for microcomputers |
US5123045A (en) * | 1989-08-18 | 1992-06-16 | Massachusetts Institute Of Technology | Comprehensive software protection system |
JPH0770629B2 (en) | 1990-03-20 | 1995-07-31 | 株式会社東芝 | Method of manufacturing nonvolatile semiconductor memory device |
JPH0520197A (en) | 1991-07-09 | 1993-01-29 | Hitachi Ltd | Storage control system and microprocessor |
US5224166A (en) | 1992-08-11 | 1993-06-29 | International Business Machines Corporation | System for seamless processing of encrypted and non-encrypted data and instructions |
US5495411A (en) * | 1993-12-22 | 1996-02-27 | Ananda; Mohan | Secure software rental system using continuous asynchronous password verification |
US5666411A (en) * | 1994-01-13 | 1997-09-09 | Mccarty; Johnnie C. | System for computer software protection |
US6473860B1 (en) * | 1994-04-07 | 2002-10-29 | Hark C. Chan | Information distribution and processing system |
US5805706A (en) * | 1996-04-17 | 1998-09-08 | Intel Corporation | Apparatus and method for re-encrypting data without unsecured exposure of its non-encrypted format |
US5701343A (en) | 1994-12-01 | 1997-12-23 | Nippon Telegraph & Telephone Corporation | Method and system for digital information protection |
EP1526472A3 (en) * | 1995-02-13 | 2006-07-26 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6246767B1 (en) * | 1995-04-03 | 2001-06-12 | Scientific-Atlanta, Inc. | Source authentication of download information in a conditional access system |
JPH08305558A (en) | 1995-04-27 | 1996-11-22 | Casio Comput Co Ltd | Ciphering program arithmetic unit |
US6006328A (en) * | 1995-07-14 | 1999-12-21 | Christopher N. Drake | Computer software authentication, protection, and security system |
US5894516A (en) * | 1996-07-10 | 1999-04-13 | Ncr Corporation | Broadcast software distribution |
US5825878A (en) * | 1996-09-20 | 1998-10-20 | Vlsi Technology, Inc. | Secure memory management unit for microprocessor |
JP2980576B2 (en) | 1997-09-12 | 1999-11-22 | 株式会社東芝 | Physical random number generating apparatus and method, and physical random number recording medium |
US6429879B1 (en) * | 1997-09-30 | 2002-08-06 | Compaq Computer Corporation | Customization schemes for content presentation in a device with converged functionality |
US6003117A (en) * | 1997-10-08 | 1999-12-14 | Vlsi Technology, Inc. | Secure memory management unit which utilizes a system processor to perform page swapping |
US6237137B1 (en) | 1997-10-15 | 2001-05-22 | Dell Usa, L.P. | Method and system for preventing unauthorized access to a computer program |
US6330549B1 (en) * | 1997-10-30 | 2001-12-11 | Xerox Corporation | Protected shareware |
JPH11282667A (en) | 1998-03-31 | 1999-10-15 | Nakamichi Corp | Microprocessor having cipher processing function of multiple key system |
JP3713141B2 (en) * | 1998-05-19 | 2005-11-02 | インターナショナル・ビジネス・マシーンズ・コーポレーション | How to prevent unauthorized execution of programs |
US6385727B1 (en) * | 1998-09-25 | 2002-05-07 | Hughes Electronics Corporation | Apparatus for providing a secure processing environment |
WO2000019299A1 (en) | 1998-09-25 | 2000-04-06 | Hughes Electronics Corporation | An apparatus for providing a secure processing environment |
US6567915B1 (en) * | 1998-10-23 | 2003-05-20 | Microsoft Corporation | Integrated circuit card with identity authentication table and authorization tables defining access rights based on Boolean expressions of authenticated identities |
US6836847B1 (en) * | 1999-03-05 | 2004-12-28 | The Johns Hokins University | Software protection for single and multiple microprocessor systems |
US6691226B1 (en) * | 1999-03-16 | 2004-02-10 | Western Digital Ventures, Inc. | Computer system with disk drive having private key validation means for enabling features |
US6651171B1 (en) * | 1999-04-06 | 2003-11-18 | Microsoft Corporation | Secure execution of program code |
US6468160B2 (en) * | 1999-04-08 | 2002-10-22 | Nintendo Of America, Inc. | Security system for video game system with hard disk drive and internet access capability |
WO2001001227A1 (en) * | 1999-06-30 | 2001-01-04 | Accenture Llp | A system, method and article of manufacture for tracking software sale transactions of an internet-based retailer for reporting to a software publisher |
US6983374B2 (en) | 2000-02-14 | 2006-01-03 | Kabushiki Kaisha Toshiba | Tamper resistant microprocessor |
JP4153653B2 (en) | 2000-10-31 | 2008-09-24 | 株式会社東芝 | Microprocessor and data protection method |
-
2001
- 2001-02-13 US US09/781,158 patent/US6983374B2/en not_active Expired - Fee Related
- 2001-02-13 US US09/781,284 patent/US7270193B2/en not_active Expired - Fee Related
- 2001-02-14 EP EP01301241A patent/EP1126356B1/en not_active Expired - Lifetime
- 2001-02-14 EP EP01301240A patent/EP1126355A1/en not_active Ceased
- 2001-02-14 KR KR1020010007301A patent/KR100362219B1/en not_active IP Right Cessation
- 2001-02-14 KR KR10-2001-0007300A patent/KR100375158B1/en not_active IP Right Cessation
- 2001-02-14 DE DE60135695T patent/DE60135695D1/en not_active Expired - Lifetime
- 2001-02-14 CN CNB011045124A patent/CN1220121C/en not_active Expired - Fee Related
- 2001-02-14 CN CNB011030003A patent/CN1189819C/en not_active Expired - Fee Related
-
2005
- 2005-03-04 US US11/071,327 patent/US7353404B2/en not_active Expired - Fee Related
Non-Patent Citations (1)
Title |
---|
MARKUS KUHN: "The Trust No 1 Cryptoprocessor Concept", 30 April 1997 (1997-04-30) * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9087000B2 (en) | 2003-11-26 | 2015-07-21 | Intel Corporation | Accessing private data about the state of a data processing machine from storage that is publicly accessible |
US9348767B2 (en) | 2003-11-26 | 2016-05-24 | Intel Corporation | Accessing private data about the state of a data processing machine from storage that is publicly accessible |
Also Published As
Publication number | Publication date |
---|---|
EP1126356A3 (en) | 2003-01-08 |
KR20010082632A (en) | 2001-08-30 |
CN1309351A (en) | 2001-08-22 |
KR20010082631A (en) | 2001-08-30 |
DE60135695D1 (en) | 2008-10-23 |
US7353404B2 (en) | 2008-04-01 |
KR100375158B1 (en) | 2003-03-08 |
CN1189819C (en) | 2005-02-16 |
KR100362219B1 (en) | 2002-11-23 |
EP1126356A2 (en) | 2001-08-22 |
US7270193B2 (en) | 2007-09-18 |
EP1126355A1 (en) | 2001-08-22 |
US20010018736A1 (en) | 2001-08-30 |
US20050166069A1 (en) | 2005-07-28 |
CN1309355A (en) | 2001-08-22 |
CN1220121C (en) | 2005-09-21 |
US20010014157A1 (en) | 2001-08-16 |
US6983374B2 (en) | 2006-01-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1126356B1 (en) | Tamper resistant microprocessor | |
JP4226760B2 (en) | Microprocessor, multitask execution method using the same, and multired execution method | |
US10685145B2 (en) | Secure processor and a program for a secure processor | |
US10360411B2 (en) | Secure processing unit systems and methods | |
JP4989543B2 (en) | Security control in data processing system based on memory domain | |
US9756048B2 (en) | System and methods for executing encrypted managed programs | |
JP2002202720A (en) | Method for sharing enciphered data area among processes in a tamper-resistant processor | |
JP4347582B2 (en) | Information processing device | |
CN115391235B (en) | Hardware-assisted software security protection method, equipment and medium | |
JP2004272816A (en) | System and method for performing multitask | |
JP2004272594A (en) | Data use device, data use method and computer program | |
WO2005092060A2 (en) | Apparatus and method for intellectual property protection using the microprocessor serial number |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20010223 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Free format text: AL;LT;LV;MK;RO;SI |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Free format text: AL;LT;LV;MK;RO;SI |
|
AKX | Designation fees paid |
Designated state(s): DE FR GB |
|
17Q | First examination report despatched |
Effective date: 20050510 |
|
17Q | First examination report despatched |
Effective date: 20050510 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: G06F 21/02 20060101AFI20080311BHEP |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): DE FR GB |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REF | Corresponds to: |
Ref document number: 60135695 Country of ref document: DE Date of ref document: 20081023 Kind code of ref document: P |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20090611 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: ST Effective date: 20091030 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20090302 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20130213 Year of fee payment: 13 Ref country code: DE Payment date: 20130206 Year of fee payment: 13 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R119 Ref document number: 60135695 Country of ref document: DE |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20140214 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 60135695 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: G06F0021020000 Ipc: G06F0021000000 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 60135695 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: G06F0021020000 Ipc: G06F0021000000 Effective date: 20141103 Ref country code: DE Ref legal event code: R119 Ref document number: 60135695 Country of ref document: DE Effective date: 20140902 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20140214 Ref country code: DE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20140902 |